Introducing automated secrets management with 1Password Service Accounts! π
1Password Service Accounts help automate secrets management in your applications and infrastructure without the need to deploy additional
services. Seamlessly integrate secrets management into CI/CD pipelines like GitHub Actions, CircleCI, and Jenkins.
Service accounts are ideal for shared environments because they provide an authentication method for 1Password CLI that isn't associated with
an individual. You control which vaults are accessible and which actions the service account can perform.
Weβd like to give a huge shout-out to all awesome beta
testers. Throughout the past months, you've helped us tremendously by letting us
in on your daily workflows, filing bug reports, suggesting improvements and helping us shape
1Password Service Accounts into the product that we're releasing today.
You are all amazing! π
Check out all the features of 1Password Service accounts and learn more about automating secrets management in the 1Password developer
documentation!
New
Users can now authenticate with the CLI using 1Password Service Accounts.
Fixed
Users can now create items of custom categories by providing a template. {3483}
Executing `op plugin run` with a plugin that has not yet been configured no longer exits after the configuration steps. {3537}
2.18.0-beta.01
(build #2180001)
β released 2023-04-26
This release introduces several new shell plugins and additions to existing plugins. Moreover, some improvements and
fixes are brought to the CLI.
New
Authenticate the Akamai CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @wongle for their contribution! {shell-plugins#234}
Authenticate the Laravel Vapor CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @andresayej for their contribution! {shell-plugins#245}
Authenticate the Laravel Forge CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @andresayej for their contribution! {shell-plugins#244}
Authenticate the Pulumi CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @ringods for their contribution! {shell-plugins#199}
Authenticate the Zendesk CLI using Touch ID and other unlock options with 1Password Shell Plugins. {shell-plugins#207}
Authenticate the AWS CDK CLI using Touch ID and other unlock options with 1Password Shell Plugins. {shell-plugins#232}
Assuming AWS roles and profiles is now supported with the AWS shell plugin. {shell-plugins#180}
Improvements
A deleted/restricted user that last updated an item will be displayed by name when running `op item get`. {3394}
An error is thrown if a document is created/updated from the CLI through standard input but no content is provided. {2624}
A description was added about configuring the CLI to use Connect / Service Account if no account is configured, in the help text of `op signin`. {3396}
Users attempting to create new DOCUMENT items with Connect will now receive a friendlier error message. {3127}
Fixed
The `--config` and `--session` flags are now fully supported for `op plugin` and `op whoami` commands respectively. {3423}
Typos in the help-text of `document create` and `document edit` concerning the misspelling of the `--file-name` flag have been corrected. {3432}
2.17.0-beta.01
(build #2170001)
β released 2023-04-12
This release adds the ability to generate SSH keys with the CLI, as well as brings the beta build up to date with the stable channel and improves the help-text.
New
Generating SSH Keys with the CLI is now possible using the `op ssh generate` command. {2342}
Improvements
When no accounts are configured, the CLI also prints information about using it with Connect and Service Accounts. {3396}
This release fixes two shell plugins and brings improvements to newly-added functionality.
Improvements
The help text for op events-api now specifies that Events Reporting is only available for business accounts. {3453}
When initializing the SourceGraph shell plugin an appropriate management url will be displayed. {shell-plugins#228}
Fixed
Treasure Data shell plugin no longer returns an error during the init step, as its executable now correctly references its API Key credential. {shell-plugins#225}
When initializing the Gitea plugin, it now also checks the default configuration directory on MacOS to find a credential to import. Thanks to @mcornick for their contribution! {shell-plugins#219}
This release introduces a new Events API feature, as well as two new shell plugins. Additionally, it contains fixes and improvements to 1Password CLI and shell plugins.
New
The default features list when creating new Events API tokens will now include Audit Events, in addition to Sign-In Attempts and Item Usages. {3146}
Authenticate Gitea CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @14zombies for their contribution! {shell-plugins#205}
Authenticate Treasure Data CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @Lewuathe for their contribution! {shell-plugins#176}
Improvements
`ngrok` is now aware of the `--config` flag and of any existing config files in the default location on the user's filesystem. {shell-plugins#194}
The HomeBrew shell plugin now skips authentication for the `bump` sub-command as well. Thanks to @MTCoster for their contribution! {shell-plugins#179}
The `--output` flag of `op document get` is now doubled by `--out-file`, for consistency with other commands. {2960}
To help with determining the 1Password item to use for a shell plugin, additional item metadata is now shown in the selection prompt. {3180}
Shell plugins credential fields can now be identified by more than one name. {3386}
`document get` now outputs the absolute file path on a successful file write and prompts to overwrite if the file already exists. {3383}
Fixed
Connect tokens with no vault access permissions can no longer be created using the 1Password CLI. {3167}
Item count is now present in the JSON output of empty vaults' details. {2995}
`UpdatedAt` and `ItemCount` attributes are now consistently up to date in the cached vaults. {3373}
Item version is now up to date in the output of `op item create` and `op item edit`. {3387}
Connect tokens can now be created when passing the `--vault` flag with the `op connect token create`. {3290}
Items are now successfully returned by `op item get` even if they were last edited by a deleted or restricted user. {3394}
The CLI will no longer silently succeed if the piped input is not handled properly. {3378}
Item lookup by name will no longer fail when resource name is alphanumeric of length 26. {2614}
2.16.0-beta.01
(build #2160001)
β released 2023-03-22
This release brings the beta build up to date with the changes on the stable release channel, as well as adds better support for handling autofill URLs.
New
`op item create` and `op item edit` can now be used to perform CRUD operations on items' autofill URLs using the `--autofill-urls` flag. {3334}
Fixed
Items can now be consistently looked up by name. {2614}
This release introduces five new shell plugins as well as improved error messages around shell plugin local builds and CLI command help text.
Shout-out to @arunsathiya from the community for their plugin contributions to this release! π
New
Authenticate ngrok using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @arunsathiya for their contribution! {shell-plugins#165}
Authenticate Vultr CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @arunsathiya for their contribution! {shell-plugins#159}
Authenticate Snowflake CLI using Touch ID and other unlock options with 1Password Shell Plugins. {shell-plugins#161}
Authenticate Fastly CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @arunsathiya for their contribution! {shell-plugins#169}
Authenticate Sourcegraph CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @arunsathiya for their contribution! {shell-plugins#146}
Improvements
The AWS Shell Plugin now checks if the AWS_SHARED_CREDENTIALS_FILE environment variable is set and attempts to import credentials using the specified file. Thanks to @Volatus for their contribution! {shell-plugins#178}
Error messages for shell plugin local builds now include link to troubleshooting documentation. {3286}
Help text formatting is now more consistent across commands. {3343}
op item help text now shows correct command for getting item category templates. {3358}
This release introduces four new shell plugins, as well as two importers. It also contains some improvements and fixes brought to the CLI commands and to the shell plugins' cache.
In addition, this release fixes a bug introduced in 2.13.0, where the Windows binaries were not code-signed.
Authenticate the Cargo CLI using Touch ID and other unlock options with 1Password Shell Plugins. {shell-plugins#139}
Authenticate the Argo CD CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @ssttehrani for their contribution! {shell-plugins#145}
Authenticate the Databricks CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @bsamseth for their contribution! {shell-plugins#143}
Authenticate the OpenAI CLI using Touch ID and other unlock options with 1Password Shell Plugins. {shell-plugins#152}
`op update` now allows you to look for updates from a specific channel via the `--channel` flag. {1648}
Improvements
Twilio CLI credentials can now be imported from the `~/.twilio-cli/config.json` config file. {shell-plugins#112}
Linode CLI credentials can now be imported from the `~/.config/linode-cli` config file. Thanks to @alexclst for their contribution! {shell-plugins#113}
Shell plugins now throw an error if a configured item is archived. {3232}
When importing shell plugin credentials and prompting for a vault to store them in, 1Password CLI will only show vault names if all vaults have distinct names. {3244}
The AWS, CircleCI, DigitalOcean, Fossa, GitHub, GitLab, Heroku and Okta plugins no longer unnecessarily prompt for authorization when no arguments are provided to the commands. {shell-plugins#126}
The Homebrew and ReadMe plugins no longer unnecessarily prompt for authorization for 'help' or 'version' related commands. {shell-plugins#126}
Fixed
`--vault` flag for `op item edit` now has the appropriate description. {3273}
Plugin cache no longer breaks when caching certain credentials. {3295}
Code signing for 1Password CLI binaries for Windows has been fixed. {3347}
Connecting 1Password CLI with the 1Password app for Windows is now again possible. {3347}
Shout-out to @shyim and @kanadgupta from the community for their plugin contributions to this release! π
New
Authenticate the ReadMe CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @kanadgupta for their contribution! {shell-plugins#106}
Authenticate the Hcloud CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @shyim for their contribution! {shell-plugins#87}
Authenticate the Cloudflare Workers using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @shyim for their contribution! {shell-plugins#94}
This release introduces two new Shell Plugins, as well as a few bug fixes for the Shell Plugins contribution beta.
Additionally, this release also fixes a CLI bug that intermittently causes `panic`s on Windows.
Shout-out to @markdorison and @micnncim from the community for their plugin contributions to this release, as well as to @shyim for bringing a Shell Plugins bug to our attention! π
New
Authenticate the Homebrew package manager using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @markdorison for their contribution! {shell-plugins#110}
Authenticate the Cachix CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @micnncim for their contribution! {shell-plugins#97}
Improvements
Shell plugin commands will now error, or show a warning in the case of `op plugin list`, if any incompatible local plugins are detected. {3196}
Fixed
Errors that were encountered sporadically on repeated use of CLI on Windows when 1Password CLI is connected to the 1Password app are no longer returned. {2611}
Locally built plugins with the CredentialUsage.Provisioner field set no longer crash. {3262}
Locally built plugins no longer fail when using cache or additional command flags due to incomplete `ProvisionOutput` sent as response to RPC calls. {3276, shell-plugins#103}
Authenticate the Tugboat CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @markdorison for their contribution! {shell-plugins#85}
Authenticate the Linode CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @alexclst for their contribution! {shell-plugins#86}
Authenticate the Lacework CLI using Touch ID and other unlock options with 1Password Shell Plugins. Thanks to @colinbarr for their contribution! {shell-plugins#95}
Shell plugins can now be used with Fish shell. {3264}
Improvements
'op plugin init' and 'op plugin run' will now return a warning or an error if the plugin's CLI cannot be found in $PATH. {3230}
Datadog credentials can now be imported from the `.dogrc` config file. {shell-plugins#101}
Snyk credentials can now be imported from the `snyk.json` config file. {shell-plugins#82}
Sentry CLI credentials can now be imported from the `.sentryclirc` config file. {shell-plugins#99}
Github Personal Access Tokens can now be imported from the `gh/hosts.yml` config file. {shell-plugins#74}
2.10.0-beta.02
(build #2100002)
β released 2022-12-07
Welcome to the world of 1Password Shell Plugins! π
Shell Plugins takes the Touch ID and other unlock options you're used to from 1Password CLI and makes them available for every CLI under the sun. βοΈ
You can store your API credentials encrypted in 1Password and load them just when you use a CLI, so you never have to store your credentials in plaintext on disk.
Weβd like to give a huge shout out to all our awesome beta
testers. Throughout the past months, you have helped us tremendously by letting us
in on your daily workflows, filing bug reports, suggesting improvements and shaping
1Password Shell Plugins together with us into the product that we are releasing today.
You are all amazing! π
Check out all the features of 1Password Shell Plugins and learn more about automating
your local workflows in the 1Password developer documentation!
New
Authenticate CLIs for AWS, CircleCI, DigitalOcean, DogShell, FOSSA, GitHub, GitLab, HashiCorp Vault, Heroku, Okta, PostgreSQL, Sentry, Snyk, Stripe and Twilio using Touch ID and other unlock options with 1Password Shell Plugins.
This beta release contains improvements brought to the Shell Plugins System, as well as two new plugins.
New
New Shell Plugins for MySQL and FOSSA are now available. {2768,2779}
Improvements
Items with different field labels than those required by the plugin are now modified during the item-selection process. N.B. For the items for which you have previously set custom correspondences, you will be prompted to modify them accordingly. {3070,3072}
Optional credential fields will now be skipped instead of being prompted for, when importing credentials manually. {2993}
The `--persist` option has been removed from the `op plugin init` command. {3169}
Credential configuration prompt options are phrased in a more clear manner. {3125, 3171}
`op plugin inspect` now provides insight into the configured credentials, the aliases and the details of the plugins. {2991,3199}
The instructions for adding shell plugins to the setup is more clear. {3189}
`op plugin reset` is now `op plugin clear`, providing better control over clearing up defaults. {3107,3199}
The flow of importing credentials is more intuitive and consistent. {3190}
Shell Plugins now work only when the 1Password app integration is enabled. {3200}
The help text for `op plugin`, `op plugin list`, and `op plugin init` has been improved. {3085,3205}
`op plugin init` tells you to source the plugins file when a plugin has been added. {3189}
Security
If the permissions on the shell plugins aliases file are manually edited to broader permissions, 1Password CLI will refuse to append to the file. {3004}
2.8.0-beta.09
(build #2080009)
β released 2022-11-18
This beta release contains improvements and fixes brought to Shell Plugins.
Improvements
When using Shell Plugins, the prompt to append the source command to found config files is now simplified. {3154}
The wording in the plugin flows more clearly expresses what is going on and why. {3122}
The prompt for entering the item when manually creating the credential with Shell Plugins is now more intuitive. {3123}
When running `op plugin init` commands are easier to copy. {3121}
Going through the `op plugin init` flow is less verbose. {3127}
When using a Shell Plugin default item that is configured from an account different than the one you're currently signed in to, you're now prompted to sign in to the other account. {3025}
Directory-specific plugin defaults are now found under `.op/plugins/` in the working directory. N.B. your directory-specific and global credential defaults will have to be reconfigured. {2949}
Shell plugin provisioners can now override the command that is executed by the shell plugin. {3065}
Items created when importing shell plugin credentials will now contain the name of the plugin's underlying service in their title. {3071}
When importing a shell plugin credential, the resulting item will have lowercase field names. {3136}
Items previously used with Shell Plugins can now be directly picked in the first prompt of the item selection process. {3053}
When creating a credential item manually for Shell Plugins, non-secret fields will no longer be concealed. {3147}
You are no longer prompted for authorization when running plugin commands that don't require secrets. {3066}
User provisioning operations are faster. {3087}
User confirmation operations are faster. {3137}
Fixed
If existing credentials are found on disk, you are now prompted only once for importing them in the new `op plugin init` workflow. {3150}
2.8.0-beta.06
(build #2080006)
β released 2022-11-09
This release contains improvements to the Shell Plugins sneak preview and a few small CLI improvements.
Improvements
Prompting for item selection in the Shell Plugins workflows is now faster.
`op whoami` now offers support for service accounts. {2921}
The command `op plugin init` is used to configure and override an executable with its corresponding plugin globally, in a terminal session scope, or in the current directory scope. {3028}
`op item get` now includes service account related documentation. {2921}
`op document get` and `op item get` now enforce the `--vault` flag when a service account is used. {2921}
Selecting an item for shell plugins now first prompts for "import existing", "create new" and "select from 1Password". {3019}
Running `op plugin configure` with an unknown plugin as argument no longer prompts for authorization. {2978}
Prompt options shown when running the `op plugin configure` command will now always be displayed in the same order. {3034}
Items created for the PostgreSQL plugin are now `Database` type items. {2992}
Fixed
Shell Plugins' item selection prompts no longer include archived items. {3001}
This release contains improvements and fixes related to shell plugins, modifications to our help-text and a security fix.
Improvements
Usage help-text and error messages now use "Connect with 1Password CLI" as the name of the integration setting. {2628}
Security
Resolved an issue where malicious vault items could override environment variables on Windows. Credits to security researcher RyotaK and the Go security team.
This release contains improvements to the Shell Plugins sneak preview and a fix to the CLI cache.
Improvements
`op plugin get-started` can now be used to setup Shell Plugins for the first time. {2941,2912}
New Shell Plugins for Snyk and Twilio are now available. {2765,2778}
Stripe API Keys, GitHub and CircleCI credentials can now be automatically imported into 1Password. {2932,2933,2937}
`op plugin run` and `op plugin configure` will now offer the option to automatically import credentials, which falls back to manually prompting for them. {2924}
Add VAULT_NAMESPACE optional env var for HashiCorp Vault plugin. {2947}
Fixed
PostgreSQL plugin now only asks once for the `hostaddr` field. {2887}
All instances of 'pluginQuery' in help text now use 'plugin-name' instead. {2961}
Displayed vault details are now consistently up to date for cached vaults. {2829}
2.8.0-beta.04
(build #2080004)
β released 2022-10-11
This release contains a series of fixes for a few issues our customers brought to our attention. Thank you everyone for your involvement.
Improvements
The help text for `op group user` commands now uses simpler language to describe membership. {2687}
Fixed
An error message prompting the user to sign in again is displayed instead of panic when no credentials are available. {2697}
`op vault create --help` now shows the correct default value for the `--allow-admins-to-manage` flag. {2645}
Fixed an issue on Windows where the CLI would return "The system cannot find the file specified" when using biometric unlock in some rare cases. {2806}
Piping multiple items into `op item create` does no longer trigger an Internal Conflict Server Error. {2808}
This release prepares support for sharing SSH items and allows for default values to be specified for template variables used in secret references in either `op inject` or `op run`.
Improvements
Default values for template variables can now be specified in environment files used with `op run` and in configuration files used with `op inject`. {2307}
Prepare support for sharing SSH items. After support is added on 1password.com, item-sharing for SSH keys will work from this version onwards. {2700}
2.7.1-beta.01
(build #2070101)
β released 2022-08-18
In this release we have a few quality of life improvements, bugfixes, and a significant cache optimization. Also, beta users
who wish to use a Docker image can pull the `2-beta` tag to retrieve the latest v2 beta images.
New
1Password CLI beta release images are published to Docker Hub. {2664}
Improvements
Item caching logic has been optimized. {2662}
`op item list --favorite` now only lists favorite items. {1837}
Creating new Connect servers in a directory in which 1password-credential.json already exists now prompts to confirm a file overwrite. {2220}
Help text examples now show Powershell versions when you use 1Password CLI on Windows. {2581}
The CLI reference overview documentation now notes that the cache is enabled by default on UNIX-like systems. {2621}
`op group user revoke` help text is now up to date with 1Password CLI 2. {2686}
Fixed
Provisioned users who were suspended can now be deleted. {2563}
1Password CLI binaries in Docker images show the correct version. {2671}
Debian beta package version metadata correctly reflects that it is a beta. {2660}
This beta release delivers the ability to authenticate with 1Password Service Accounts by setting an
environment variable as the service account token. For more information on service accounts and
how to use them, visit our developer documentation!
This release also contains two other beta features that we'd like to ask for your input on.
You can now specify query parameters in secret references (eg. "?attr=otp" to retrieve a
one-time-password value). We've also added a convenience command `op account use` to let
users more easily switch between the active account when biometric unlock is enabled.
This release also contains some non-beta features relating to performance optimisations that improve
the caching logic of the CLI.
New
Authenticate using service account tokens to retrieve vaults and items.
Fetching attributes of fields and files is now possible with secret references, by adding the `attribute` query parameter to them. {2027}
`op account use` can now be used to designate a new default account to run commands with biometric unlock. {2048}
Improvements
The file of a Document-type item can now be referenced using the 1Password CLI secret referencing syntax. {2118}
Cache is enabled by default, it can be disabled by setting the `OP_CACHE` env var to `false`, or by specifying the `--cache=false` flag. {2589}
`op --help` now contains documentation related to the default caching between commands. {2589}
The help text example for concatenating secrets with op inject now uses db_url consistently. {2522}
`op read` help text now notes that whitespaces are supported and require quotation marks. {2522}
Fixed
The cache daemon process no longer holds the current directory in use. {2485}
Vault items are cached more reliably and efficiently. {2540}
The name of file-type fields is again visible in json and human-readable item representations. {2616}
The file-type fields now have the correct ID in the json and human-readable output of items. {2625}
Omit timestamps when printing user if timestamps are not returned by server. {2435}
Using biometric unlock on macOS should no longer return the error "connecting to desktop app: determining parent process of" in some rare cases. {2544}
This release mainly contains fixes centered around file-handling with the CLI, as well as our Connect client. An exhaustive list of additions, improvements and fixes can be found below.
New
`op item create/edit` can now handle file attachments to items. {2141}
Improvements
A debug message is now logged if the state of CLI biometric unlock in the 1Password app cannot be determined. {2167}
An error is now thrown when `op document get` tries to print a file containing unprintable characters. {2288}
`op item list` returns more descriptive error messages when it times out. {2371}
The CLI reference overview documentation now includes a learn more section, various style updates. {2386}
Debug messages are printed to stderr instead of stdout. {2167}
The correct ID and secret references are now displayed for file-type item fields in the json output of items. {2524}
`op item get` leverages the vault in its piped input, in order to improve performance for these use-cases. {2211}
A friendlier error is returned if the local session file is corrupt. {2459}
A clearer error is displayed when trying to read a file field that has not finished uploading. {2539}
Fixed
Debug messages are only printed if the --debug flag is used. {2167}
Secret references that match more than one secret now return an error instead of returning the first match when using the CLI with Connect. {2525}
Addressed a problem where upgrading from a CLI version lower than v2.3.1 could lead to an error for the first 10 minutes after updating. {2459}
Fields and files can now be consistently referenced using the 1Password Secret Referencing Syntax, when using a Connect backend. {2541}
This patch release addresses some of the issues that have been brought to our attention by our users. We want to thank the 1Password community for raising these, and for helping us quickly identify and fix them.
Improvements
It is now possible to specify the vault of an item on creation through the JSON template or piped input. {2460}
Mentions of `--cache` now note that the cache is not available on Windows. {2447}
Fixed
`op user edit --name NAME` command now correctly updates the user's name. {2501}
Categories containing multiple tokens in their name are not invalidated anymore, when specified in json template/piped input in op item create. {2515}
This release contains improvements and fixes over the CLI's piped input handling. The help-text and some user-facing errors have also been improved. To boot, a new command to retrieve information about currently ongoing sessions has been added.
New
The `op whoami` command now allows retrieving information about the currently ongoing sessions. {2218}
Improvements
You can now pipe json input to the CLI commands without explicitly passing the "-" argument placeholder. {2216}
Successfully granting a Connect server access to a vault prints a completion message. {2210}
A more descriptive error message is returned when `op item get` is called without the vault flag when used with a Connect backend. {2475}
Fixed
Piping now works with `op connect server get`, `op connect server delete` and `op connect token delete`. {2216}
The Connect server UUIDs corresponding to the listed tokens now show up in the json output of `op connect token list`. {2216}
`op item create` now interprets the `--category` flag as expected when items are piped via stdin or passed via template files. {2464}
`op document create` help-text example now uses CLI 2 syntax. {2427}
This patch release contains two fixes for regressions introduced in 2.3.0. We want to thank the 1Password CLI community for raising these issues to us, and helping us quickly identify and fix them.
Improvements
A more suggestive error is returned when trying to grant access for Connect to a Private/Personal vault. {2212}
Secret references are now printed in the json output of `op item create/edit` commands. {2387}
Fixed
`op item get` no longer returns an error when `--include-archive` is not specified and Connect is configured. {2476}
When querying values of fields with identical names within different sections of an item using a Connect server, 1Password CLI now returns the expected value. {2477}
Security
Strengthen key derivation for sessions established using biometric unlock by adding a salt. {2062}
This release mainly contains some improvements around the CLI's help-text, as well as adds the possibility to pipe via stdin when creating items.
Improvements
`op connect token create` help-text example now uses CLI 2 syntax. {2292}
`op connect` help-text now clarifies vault limitations. {2330}
`op connect token create` has improved help text, and now takes a `--vault` flag instead of `--vaults` to clarify that multiple `--vault` flags can be set. {2329}
`op item create` now accepts JSON input on stdin. {2425}
This release contains fixes and improvements that have been suggested by customers for the 2.0.0 CLI.
Additionally, it includes security improvements made after a security audit by Secfault Security.
New
Added support for OTP field type for inline item assignments. {1647}
Improvements
All links to related developer documentation articles now point to the new URLs. {2069}
`op account add` help text now notes that biometric unlock requires 1Password 8. {2099}
`op completion` help text now has instructions for loading completion information for PowerShell. {2068}
`UUIDs` are now referred to as `IDs` throughout help text. {2136}
JSON item output now includes the vault's name the item is from. {2100}
Errors are clearer when reading/creating config file fails. {2062,2095}
CLI now throws an error when a command doesn't work with Connect and Connect specific environment variables are set. {2046}
`op item template get` no longer shows an empty vault key for the item. {2169}
Subcommands in the help text now follow the CRUDL order. {2058}
The user ID in the output of `op account list` is now referred to as such, instead of user UUID. {2136}
op user provision help text is now more clear. {2159}
Revoking user access from the Team Members group returns a more descriptive error message. {1553}
When adding a new account, you can now supply your user's secret key with the `OP_SECRET_KEY` environment variable. This is the new recommended method to add accounts on systems where we cannot prompt you for the secret key. Credits to Secfault Security. {2185}
The `op` binary from the Docker Image is now statically compiled, and works well with Alpine Docker images. {1694}
The list output for vaults, items and accounts now contains more details in its json format. {2192}
op events-api help text now notes business or team account requirements. {2271}
op item template list now uses new syntax for op item template get example. {2265}
Events API naming is now standardized in help text. {2269}
.env files that are used with `op run` can now contain and refer to environment variables that contain linebreaks. {2086}
Parsing of .env files for `op run` is now more robust. Credits to Secfault Security for pointing out a parsing inconsistency. {2182}
Fixed
Fields called `title`, `url` and `tags` now take priority over the built-in attributes, with `op read`, `op run` and `op inject`. {2059}
The output of `op signin` now correctly mentions that `op signin` uses the `--account` flag instead of an argument. {2089}
Address fields are now properly displayed instead of being empty. {2063}
Addressed a rare case where running a CLI command with biometric unlock enabled consistently results in an "SRP-x unsupported length" error. {2193}
Windows signature file `op.exe.sig` returns to the Windows download archive. {2180}
`op connect vault grant` and `op connect vault revoke` now return an error if you are missing permissions to perform the action. {2213}
Example for document get now uses CLI 2 syntax. {2145}
Providing raw text as piped input into `op inject` now outputs an appropriate error message. {2178}
Date and MonthYear field types are now properly parsed when the item JSON template is provided to create an item. {2075}
The `pkg-version` for the 1Password CLI on macOS now returns the correct version. {2120}
Debian packages for 32-bit arm systems are packaged under the correct architecture name (armhf). {2186}
Addressed an issue where you could get a persistent "You are not currently signed in" even after signing in. {2293}
Security
Replaced backticks in help text and error messages with single quotes. {2112}
Improved the signature verification of the 1Password app when using biometric unlock on Windows. Credits to Secfault Security. {2143}
Filtering of `op` specific environment variables has been removed from `op run`, as no security advantages are obtained by this filtering. Credits to Secfault Security. {2184}
Fixed a race-condition that could result in a file written by the CLI to not end up with the specified filemode. Credits to Secfault Security. {2198}
The CLI refuses to write to files that are symlinked. Credits to Secfault Security. {2198}
Unprintable characters are now filtered out from the output of the CLI, when used interactively. Credits to Secfault Security. {2183}
This is the first release of the next generation of 1Password CLI! π
It takes the usability and accessibility that you're used to from 1Password
to the terminal. Among others, it allows you to unlock the CLI using biometrics,
and has a new and improved command structure and output.
In addition, we also introduced some brand new functionality to 1Password CLI.
Some of the features we'd like to highlight are Psst! support
and the ability to securely load secrets into scripts, applications, and other workloads.
We would like to shout out our amazing early access community for raising bug
reports, suggesting improvements, and helping us shape the 1Password CLI along
every iteration of the beta into the product we are now releasing! π
Check out all the improvements and new features below and learn more in our new
developer documentation!
New
1Password CLI 2 now uses a new command schema, together with a more intuitive JSON output format.
Biometric Unlock can now be used instead of typing your account password on the command line. {1943}
The item get, inject, run and read commands now also support using a Connect server. Use it by setting OP_CONNECT_HOST and OP_CONNECT_TOKEN environment variables. {1580}
1Password CLI can now be installed via apt, dnf and apk.
All commands now format their output in a new human friendly format. Use the --format=json flag or OP_FORMAT=json environment variable to output as JSON. {1487, 1564}
Improvements
Vault access permissions can now be granted and revoked granularly when managing users' and groups' access to vaults by specifying --permissions. {1517}
Listing groups or users that have access to a vault now displays the group's or user's permissions. {1608}
Granting or revoking vault permissions prints the resulting permissions. {1739}
Setting whether a vault is safe for travel can be achieved with the --travel-mode flag, while editing vaults. {1505}
Deleting multiple vaults at once is now possible. {1505}
When getting items, you can now retrieve fields by field type. {1855}
Creating and editing items now have a dry-run feature, which prints the resulting items without saving them. {1515}
When editing items, you can now change the autofill url, tags and title. {1506}
Creating items can now be done using templates similar in format to the items retrieved with 1Password CLI. The old format is no longer supported. Support for passing in base64 encoded templates as an argument has been removed. {1578}
Creating and editing items now offer support for setting, updating and deleting fields through command line arguments. {1515}
Curly brackets are no longer shown around vault IDs when listing items. {1632}
Selecting items by tags now retrieves nested tags. {1529}
Setting the --tags flag to an empty value while editing items or documents will now remove all tags. {1558}
Tags specified multiple times on commands to create or edit items or documents are now applied only once. {1598}
Adding new accounts is now done using a standalone command, op account add. Configuring new accounts via op signin is no longer supported. {1898}
op signin accepts the --account flag to select which account to sign in to. The command no longer supports arguments. {1898}
$OP_ACCOUNT and --account flag now also accept a user UUID or an account UUID. {1900}
The --list flag of op signin has been removed, and the functionality has been moved to op account list. {1881}
Listing accounts no longer returns DSECRET and SECRET_KEY in its output. {1748}
Forgetting all authenticated accounts at once is now possible. {1504}
Confirming multiple users of an account at once is now possible. {1502}
Deleting multiple users from an account at once is now possible. {1502}
Editing multiple users within an account at once is now possible. {1502}
Reactivating multiple users within an account at once is now possible. {1502}
Suspending multiple users within an account at once is now possible. {1502}
You can now output debug logs using the binary flag --debug or the environment variable OP_DEBUG. Currently debug logs exist for biometric unlock only. {1910}
--iso-timestamps can now also be set using the $OP_ISO_TIMESTAMPS environment variable. {1926}
The --include-archive flag can now also be specified setting the OP_INCLUDE_ARCHIVE environment variable to true. {1616}
The formatting and phrasing of error messages has been improved. {1871}
The help text across 1Password CLI commands is now clearer, more elaborate and better formatted. {1736}
list and delete commands can now be used with their aliases: ls, remove and rm. {1571}
Listing events is no longer possible. Please continue using 1Password CLI version 1 to read audit events. Before support for version 1 ends, a more sophisticated solution for audit events will be available. {1710}
armv7 and arm64 Docker images of 1Password CLI are now being built and published on DockerHub. {1771}
This release introduces auto-completion for fish shells, check out op completion --help for instructions. We also renamed a command to be more accurate as well.
New
CLI now has completion support for fish shell. {2056}
Improvements
`op user invite` is now called `op user provision` to better reflect what the command does. {2155}
2.0.0-beta.15
(build #2000017)
β released 2022-03-08
In this release, we have some UX improvements and bug fixes in our authentication flows.
In addition, starting from this release, 1Password CLI beta releases can be installed over the Apt, APK, and YUM repositories! Instructions are
located at https://developer.1password.com/docs/cli/install.
Improvements
The 1Password CLI will now more clearly instruct you what to do when biometric unlock is enabled, but the 1Password app is not running. {1685}
The `signout` command now only signs out the specified account if --account or $OP_ACCOUNT is set and biometric unlock is enabled. {1953}
The `signin` command now outputs an error when being called without `eval` or `Invoke-Expression`. {2030}
Biometric unlock now can now be manually enabled or disabled by setting OP_BIOMETRIC_UNLOCK respectively "true" or "false". {2035}
The error message displayed when dismissing the biometric unlock prompt multiple times in short succession is clearer. {1946}
Refactor help text command syntax from `op ` to `op `. {2083}
More accurate error messages are now displayed when using biometric unlock requires extra setup steps. {2097}
Fixed
`op account get` now returns the correct account type for Team accounts. {2008}
The flags for `op group user revoke` are now correct. {2073}
2.0.0-beta.13
(build #2000015)
β released 2022-02-24
Thanks again for all the feedback folks! This update includes another set of improvements, most of which are around the new signin experience and creating items with templates.
Improvements
`op account add` can now be used to configure new accounts via flags or interactive inputs. Configuring new accounts via `op signin` is no longer supported. {1898}
`op signin` accepts the `--account` flag to select which account to sign in to. The command no longer supports arguments. {1898}
You can now output debug logs using the binary flag `--debug` or the environment variable `OP_DEBUG`. {1910}
Secret references containing spaces are now supported. {1905}
The tool is now called "1Password CLI" instead of "1Password command-line tool" in the help-text. {1944}
The output of `op --help` is now more concise. {1951}
`op item share` now throws an elegant error when called with unshareable item types. {1911}
`op item list` now has both a long and a short format, toggled with the `--long` flag. {1994}
Signing out from all accounts with a single command is now possible with `op signout --all`. {2003}
The `op inject` help text now includes a warning to delete the resolved config file when it's no longer needed. {2034}
`op item create` and `op item edit` now have instructions documented about using them securely. {1997}
`op item template get` now returns the new item JSON format. {1578}
`op item create` now supports templates that resemble the output of `op item get` and use common language keys. The old format is no longer supported. {1578}
Files created by the 1Password CLI on Linux are no longer owned by the onepassword-cli group. {2045}
`$OP_ACCOUNT` and `--account` flag now also accept a user UUID or an account UUID. {1900}
Fixed
Caching now also works when using biometric unlock. {1971}
When multiple accounts are available for an account filter, the user is prompted with the correct command to execute, in order to list all available accounts. {1996}
`op run` no longer returns an error when the --env-file is used and the environment contains a multiline environment variable. {1851}
2.0.0-beta.12
(build #2000014)
β released 2022-01-28
This release introduces Biometric Unlock; If you have the latest nightly build of the 1Password 8 installed, you can now use it to sign in to the CLI using biometrics.
New
Biometric Unlock can now be used with the latest nightly release of 1Password 8. {1943}
Improvements
`--iso-timestamps` can now also be set using the `$OP_ISO_TIMESTAMPS` environment variable. {1926}
2.0.0-beta.10
(build #2000012)
β released 2022-01-24
This release contains fixes and improvements based on your feedback during Early Access. Thank you all for sharing your thoughts! β€οΈ Please keep your feedback coming and we'll improve 1Password CLI together.
Note that this release doesn't cover all provided feedback yet, and we'll continue to release more updates when they're ready.
Improvements
`op item get` now has `--otp` to fetch the primary OTP code of an item, similarly to `op get totp` in 1Password CLI 1. {1908}
The help text for `op item ls` and `op item get` now include documentation for the `OP_INCLUDE_ARCHIVE` environment variable. {1670}
The `--list` flag of `op signin` has been removed, and the functionality has been moved to `op account list`. {1881}
The API Credential item category is now documented in help-texts. {1214}
The `read`, `inject` and `template get` commands now have a force flag to bypass user confirmation when the output file already exists. {1922}
Fixed
`op item template get` help text now references the right item create command. {1902}
`op update` now works on MacOS too. {1717}
Sections without fields are now displayed properly. {1932}
2.0.0-beta.9
(build #2000011)
β released 2022-01-17
This release contains fixes and improvements based on your feedback during Early Access. Thank you all for sharing your thoughts! β€οΈ Please keep your feedback coming and we'll improve 1Password CLI together.
Note that this release doesn't cover all provided feedback yet, and we'll continue to release more updates when they're ready.
Improvements
Error messages when something doesn't exist no longer introduce ambiguity. {1871}
Help text for flags is better divided into flag name and its usage. {1868}
The item in human-readable output now displays the one-time password code. {1891}
`op item list` now shows the vault name instead of the ID. {1887}
Flag help text now starts with capital letters and have terminal punctuation. {1886}
Fixed
The retrieval of fields with the 'section.field' format is now possible via 'op item get'. {1870}
An error is now thrown if a field with non-unique name is inquired by name. {1870}
`op item get` usage now shows the correct command to retrieve one-time passwords. {1855}
Sections without fields are now excluded from the human output of `op item get`. {1888}
2.0.0-beta.8
(build #2000010)
β released 2022-01-11
This release focuses on improving command help text to be more clear and concise. We also fixed a
critical bug where unintended vault permissions would be granted in the `op vault user grant/revoke` commands.
Improvements
The help text of multiple commands is now clearer and more elaborate. {1736}
The flag `--fields` for the command `op item get` now has an alias `--field`. {1762}
`op item create` and `op item edit` commandsβ help text are more descriptive and concise. {1664}
Vault access permission management commandsβ help text are more accurate and concise, and include a link to an in-depth guide to developer documentation. {1664}
Fixed
The `op vault user grant` command does not grant any additional permissions than what was specified. {1723}
2.0.0-beta.6
(build #2000006)
β released 2021-11-26
The main feature included in this release revolves around a set of commands that have been added or
improved for managing granular vault access permissions. A specific vault's group and user vault access
permissions can be viewed by the `op vault group list VAULT` and `op vault user list VAULT` commands.
In addition, they can be set via using the `--permission` flag to a comma-separated list of permissions
in the `op vault group grant`,`op vault group revoke`, `op vault user grant`, and `op vault user revoke`
commands.
New
The `op vault group/user grant/revoke` commands now have a `permissions` flag to specify the vault access permissions being granted/revoked. {1517}
The `op vault group list` and `op vault user list` commands now display the vaultβs group or user access permissions. {1608}
Improvements
Suggested next steps have been improved when `op` fails to grant a group access to a Connect instance. {1664}
The usage of secret references is now specified in more detail in the `run`, `inject`, and `read` commands' help text. {1711}
The `op events list` command is no longer available. Continue to use CLI version 1 to read audit events. Before support for CLI 1 ends a more sophisticated solution for audit events will be available. {1710}
The `op events create` command is now `op events-api create`. {1710}
Fixed
The `op vault group list` command now displays the correct permissions based on the accountβs tier. {1517}
2.0.0-beta.4
(build #2000004)
β released 2021-11-05
Creating and editing items with the command-line tool is now easier than ever, thanks to the new field assignment syntax. You can create, delete and update custom fields of an item (and even change their type) with just one command, for example:
op item edit 'database' 'creds.db2_admin_username[text]=dbadmin2' 'creds.db2_admin_pw[password]=RTA@gug9vmn7xey7pbq'
We've also made a number of small improvements and bug fixes.
New
The `item create` and `item edit` commands now have a `dry-run` flag that will print the resulting items without saving them. {1515}
Improvements
The `op item create` and `op item edit` commands now support setting, updating and deleting fields through command line arguments. {1515}
Errors in templates for `op inject` are now described in more detail. {1605}
Table output headers are now separated by spaces instead of underscores. {1635}
The field names createdAt and updatedAt are now displayed as created and updated. {1635}
Vault types are now fully spelled out in the command-line tool output. {1633}
Null or empty fields are no longer displayed in the human-readable item output. {1634}
The `op item template get` command now has an `--out-file` flag to write item templates to a file instead of stdout. {1636}
Curly brackets are no longer shown around vault IDs when listing items. {1632}
Help-texts are now more consistent and easier to read. {2946}
Fixed
The command-line tool can now use Connect as backend even if it has access to more than one vault. {1681}
2.0.0-beta.3
(build #2000003)
β released 2021-10-07
Buckle up command-line tool users! We are launching an awesome ride that we'd love for you to join us on. π
I'm super excited to announce our first Early Access release for v2 of the command-line tool. We have
redesigned the command structure from the ground up and as you'll see commands are
now neatly organized by topic. There's a ton of other improvements - big and small -
outlined in more detail below.
This release also introduces the ability to pass secrets from 1Password items to
your applications, scripts and any other processes that require secrets.
We're just getting started and we'd love to hear your feedback and suggestions.
What should we focus on next? Let us know!
New
Secrets can now be loaded into templated (configuration) files using the `inject` command. {1577}
Secrets can now be loaded as environment variables to any process using the `run` command. {1577}
A secret can now be read using the `read` command. {1577}
A secret can now be loaded into a system file using the `read` command. {1577}
`op item get` now retrieves items via a Connect server if the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables are configured. {1580}
Groups that have access to a vault can now be listed using `op vault group list`. {1541}
`op item edit` command now supports the `--url`, `--tags`, and `--title` flags to edit the fields. {1506}
The `create vault` and `edit vault` commands can now specify an icon with the `--icon` flag. {1556}
Details of a Connect server can now be retrieved with `op connect server get`. {1508}
Improvements
Commands are now organized by topic. {1503, 1504, 1505, 1506, 1508, 1509, 1511, 1560, 1568, 1589, 1600}
All commands now format their output in a new human-friendly format. `--format=json` switches the output to JSON. {1487, 1564}
The flags `--format` and `--include-archive` can now also be specified using the environment variables `OP_FORMAT` and `OP_INCLUDE_ARCHIVE` respectively. {1616}
The human-friendly output format uses prose instead of timestamps. `--iso-timestamps` switches the output to timestamps. {1487}
Item, vault, connect, user, and group JSON output formats are now stripped from acronyms and unneeded internal data. {1477}
JSON outputs are now formatted and colored. {1579}
`op item create` command now supports filepaths for item templates via the `--template` flag, support for passing in base64 encoded templates as an argument has been removed. {1506, 1560}
`list` and `delete` commands can now be used with their aliases: `ls`, `remove` and `rm`. {1571}