Open stevenharman opened 1 year ago
jessieay
commented
1 year ago Heroku SSO users cannot use an API key so this makes sense.
The way the Heroku CLI plugin itself gets around this is that it pops open a browser. I forget what the Heroku CLI even caches to keep the 8 hour session for an SSO user but maybe @imtayadeway or @dmcinnes knows 😈
stevenharman
commented
1 year ago Right, it's a "Heroku API Token," exactly. But it still uses a short-lived token, stored in ~/.netrc. Since the po CLI is a wrapper that's just setting the HEROKU_API_KEY ENV var before execing the heroku CLI, it should be possible (for some definition and amount of effort) to allow the heroku CLI to pop the browser. The trick is in updating the 1Password entry holding the token in a clean way.
Also, 👋 HI JESSIE! I miss you, buddy!
SimonBarendse
commented
1 year ago The trick is in updating the 1Password entry holding the token in a clean way.
Hi Steven, for storing the token, you can take the same approach as we've done in the AWS STS provisioner for the short-lived session token: https://github.com/1Password/shell-plugins/blob/main/plugins/aws/sts_provisioner.go#L67
The cache is encrypted, and you can safely store credentials in there.
Platform or tool
Heroku
Desired or expected behavior
When SSO is enabled for a Heroku account, the API key issued is short lived (8 hours). This means the key imported into 1Password expires w/in 8 hours.
The
herokuCLI itself will notice when a key is no longer working and prompt the user to re-authenticated (by popping up a browser session to do the auth dance). The 1Password CLI plugin needs to do something similar to support SSO accounts - or perhaps even to better support a token being revoked/expired.Current behavior
When the toke has expired, we see the following with the 1Password CLI plugin:
Trying to do a
heroku loginthen fails with the same error messageThe only workaround I know of right now is to not use the plugin. Which makes me very sad.
Relevant log output
No response
op CLI version
2.9.1