search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
12.26k stars 471 forks source link

Integrate 1Password SDKs to remove dependency on CLI #3852

Open carey404 opened 4 days ago

carey404 commented 4 days ago

Is your feature request related to a problem? Please describe.

1Password recently released SDKs that support reading and writing secrets directly from 1Password without the need for the CLI or a Connect server. This simplifies the integration process and reduces the dependency on additional infrastructure.

Describe the solution you'd like

Extend the 1Password integration to support the new 1Password SDKs. This would allow users to:

Describe alternatives you've considered

Continuing to use the integration with the CLI or Secrets Automation.

Additional context

The 1Password SDKs are currently in beta. Documentation can be found here: https://developer.1password.com/docs/sdks/

halostatue commented 4 days ago

In the short and medium term, I don't think we can consider this at all. In the long term, it depends on what features 1Password adds to the SDK — but I am not optimistic based on the current limitations.

  1. The SDKs currently only support 1Password Service Accounts. This is not really intended for user-accessible machines, but for automated machines. Anyone (like myself) who has more than one 1Password account, cannot use service accounts meaningfully.
  2. No field metadata, attachments, or SSH keys are available.
  3. Only op:// URL references are supported, and op:// URL references do not currently have an account field (see above about multiple 1Password accounts).

These feel like making 1Password Service Accounts alternatives to 1Password Connect or Hashicorp Vault in the long term, not something that would be used on an end-user machine.

twpayne commented 3 days ago

Thank you @carey404 for opening this issue and thank you @halostatue for the in-depth analysis!

I think this is worthwhile to include in chezmoi for several reasons:

  1. chezmoi already includes support for multiple secret providers targeted at automated machines, e.g. AWS Secrets Manager, Azure Key Vault, and Doppler. There is evidence that people do use these services to populate secrets in their dotfiles as these contributions were made by users, e.g. craiggwilson in #2219, catay in #3112, and equals03 in #3134. (Not using @ mentions to avoid spamming them).

  2. We can add this functionality in parallel to the existing 1Password support using the 1Password CLI by using different template function names, i.e. we can do this while maintaining full backwards compatibility.

  3. Even though the 1Password SDKs are currently in beta, we can clearly signal this to users, and no doubt the 1Password SDK will increase in capability over time.