Skip to content

1Password

chezmoi includes support for 1Password using the 1Password CLI to expose data as a template function.

Log in and get a session using:

$ op account add --address $SUBDOMAIN.1password.com --email $EMAIL
$ eval $(op signin --account $SUBDOMAIN)

This is not necessary if you are using biometric authentication.

The output of op read $URL is available as the onepasswordRead template function, for example:

{{ onepasswordRead "op://app-prod/db/password" }}

returns the output of

$ op read op://app-prod/db/password

Documents can be retrieved with:

{{- onepasswordDocument "$UUID" -}}

The output of op item get $UUID--format json (op get item $UUID) is available as the onepassword template function. chezmoi parses the JSON output and returns it as structured data. For example, if the output is:

{
  "id": "$UUID",
  "title": "$TITLE",
  "version": 2,
  "vault": {
    "id": "$vaultUUID"
  },
  "category": "LOGIN",
  "last_edited_by": "$userUUID",
  "created_at": "2010-08-23T13:18:43Z",
  "updated_at": "2014-07-20T04:40:11Z",
  "fields": [
    {
      "id": "username",
      "type": "STRING",
      "purpose": "USERNAME",
      "label": "username",
      "value": "$USERNAME"
    },
    {
      "id": "password",
      "type": "CONCEALED",
      "purpose": "PASSWORD",
      "label": "password",
      "value": "$PASSWORD",
      "password_details": {
        "strength": "FANTASTIC",
        "history": []
      }
    }
  ],
  "urls": [
    {
      "primary": true,
      "href": "$URL"
    }
  ]
}

Then you can access the password field with the syntax

{{ (index (onepassword "$UUID").fields 1).value }}

or:

{{ range (onepassword "$UUID").fields -}}
{{   if and (eq .label "password") (eq .purpose "PASSWORD") -}}
{{     .value -}}
{{   end -}}
{{ end }}

Info

1Password CLI 1.x returns a simpler structure:

{
  "uuid": "$UUID",
  "details": {
    "password": "$PASSWORD"
  }
}

This allows for the syntax:

{{ (onepassword "$UUID").details.password }}

onepasswordDetailsFields returns a reworked version of the structure that allows the fields to be queried by key:

{
  "password": {
    "id": "password",
    "label": "password",
    "password_details": {
      "history": [],
      "strength": "FANTASTIC"
    },
    "purpose": "PASSWORD",
    "type": "CONCEALED",
    "value": "$PASSWORD"
  },
  "username": {
    "id": "username",
    "label": "username",
    "purpose": "USERNAME",
    "type": "STRING",
    "value": "$USERNAME"
  }
}
{{- (onepasswordDetailsFields "$UUID").password.value }}

Additional fields may be obtained with onepasswordItemFields; not all objects in 1Password have item fields. This can be tested with:

$ chezmoi execute-template "{{ onepasswordItemFields \"$UUID\" | toJson }}" | jq .

Note

The extra - after the opening {{ and before the closing }} instructs the template language to remove any whitespace before and after the substitution. This removes any trailing newline added by your editor when saving the template.

Sign-in prompt

chezmoi will verify the availability and validity of a session token in the current environment. If it is missing or expired, you will be interactively prompted to sign-in again.

In the past chezmoi used to simply exit with an error when no valid session was available. If you'd like to restore this behavior, set the onepassword.prompt configuration variable to false, for example:

~/.config/chezmoi/chezmoi.toml
[onepassword]
    prompt = false

Danger

Do not use prompt on shared machines. A session token verified or acquired interactively will be passed to the 1Password CLI through a command line parameter, which is visible to other users of the same system.