This week I was updating some documentation in a Jupyter Notebook that had placeholders for credentials in it. This got me to thinking, I wonder if it is possible to get secrets from 1Password with PowerShell. 1Password as that is my password manager of choice.
A couple of quick searches later and I found the 1Password CLI that allows command-line access to a 1Password Vault. I also found a module that interfaces directly to a local 1Password instance and another that is an extension for the new PowerShell Secret Management module.
However, neither of these provided the functionality I was looking for. I wanted to be able to:
My 1Pwd PowerShell Module is a wrapper for the 1Password CLI that allows full use of 1Password with PowerShell.
Here is an example of a Login Item for an online retailer
And an example of the module being used in a Jupyter Notebook.
To use this module you will need:
Install from the PowerShell Gallery on Windows PowerShell 5.1+ or PowerShell Core 6.x or PowerShell.
Install-Module -name 1Pwd
Test the 1Password CLI is accessible by running the following command that will return the 1Password CLI version. If you haven’t setup credentials yet you will also receive a message to that effect.
Invoke-1PasswordExpression "--version"
Configuration involves creating a profile with the authentication information for a 1Password online Vault. You will need the Sign-In address, Email address, Secret Key and Master Password associated with your Vault. The Master Password is the password you type in to open your vault. You can get the rest of the required information from a local installation as shown below.
Or if you aren’t using the local Windows client you can get the information from your online vault after signing in.
To create a secure profile for use with the 1Pwd Module execute the following PowerShell commands with the user account on the computer that you will be using to retrieve/set 1Password Vault items. This will create the secure configuration under your Windows Profile for the logged in user on computer it was executed on. It can only be opened and the Secret Key and Master Password read using the same account on the same computer.
Update the following with your Sign-In Address and Sign-In Account (Email Address) retrieved above. You will be prompted to securely input your Secret Key and Master Password.
$1PSignInAddress = "https://my.1password.com"
$1PSignInAccount = "your@emailaddress.com"
$1PSecretKey = Read-Host "Enter your 1Password SecretKey" -AsSecureString
$1PMasterPassword = Read-Host "Enter your 1Password Master Password" -AsSecureString
Using the information input above the Test-1PasswordCredentials cmdlet is used to validate them and return your account details.
$account = Test-1PasswordCredentials -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword
Having successfully provided and validated your credentials the Set-1PasswordConfiguration cmdlet will securely store the configuration in the logged in users local Windows Profile. When saving a configuration, you can use the -default switch to specify that it is the default configuration. It will automatically be retrieved and a session created when the module loads.
Set-1PasswordConfiguration -Vault $account.domain -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default
The primary command/cmdlet that you will use after configuration is Invoke-1PasswordExpression.
Invoke-1PasswordExpression "list vaults"
Invoke-1PasswordExpression "get item Twitter"
Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'"
((Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'").details.fields | where-object {$_.designation -eq 'password'} | select-object -property value).value
# Get Vault Entry $1PwdItem = Invoke-1PasswordExpression "get item '1PWD Module Update Test'" # Update the Item with new password 'mynewpassword' Invoke-1PasswordExpression "edit item $($1PwdItem.uuid) password=mynewpassword"
# Get Vault Entry $1PwdItem = Invoke-1PasswordExpression "get item '1PWD Module Update Test'" # Update by getting 1Password to generate a 32-character password made up of letters, numbers, and symbols Invoke-1PasswordExpression "edit item $($1PwdItem.uuid) --generate-password" # Get Updated Item $updatedItem = Invoke-1PasswordExpression "get item $($1PwdItem.uuid)" # Get New Password $updatedItem.details.fields | where-object {$_.designation -eq 'password'} | select-object # Get Old Passwords $updatedItem.details.passwordHistory
Primarily I’ve written this to retrieve secrets from 1Password. The 1Password CLI is fully featured so allows everything you could do via a GUI client. Look at the documentation here for Creating, Deleting and Editing items, users, groups and documents in your 1Password vault.
The Switch-1PasswordConfiguration cmdlet allows you to switch vaults/configuration. This is useful if you have multiple accounts. Each configuration needs to be saved using Set-1PasswordConfiguration. When saving a configuration, you can use the -default switch with Set-1PasswordConfiguration to specify which is the default configuration that will be loaded when the module loads.
To change to the configuration for PersonalVault2 you would use the command.
Switch-1PasswordConfiguration -vault PersonalVault2
To switch to the PersonalVault2 configuration and make it the default use the -default switch.
Switch-1PasswordConfiguration -vault PersonalVault2 -Default
Developing this module ended up taking a little longer than I originally anticipated, but I hope others may get some benefit from this.
The configuration profile component will only function on Windows. Potentially in the future someone could submit a Pull Request with changes to support other platforms.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments