PowerShell Module for 1Password CLI
A PowerShell Module enabling simple methods for accessing your 1Password Vault.
UPDATE June 2023
v2 of this 1Password PowerShell Module now supports v2 of the 1Password CLI.
The module is backward compatible so if you are still using v1 of the 1Password CLI nothing changes.
v2 of this module has been on the backlog for sometime. The 1Password hackathon in partnership with Hashnode was the inspiration to finish a public version of it.
- Works with versions 1.x and 2.x of the 1Password CLI
- Auto-detects the version of the 1Password CLI you have and integrates accordingly
- Allows a configuration to be securely stored in your local Windows Profile that automatically loads with the module.
- Stores a profile configuration using Export-CliXML. The Export-Clixml cmdlet encrypts credential objects by using the Windows Data Protection API. The encryption ensures that only your user account on only that computer can decrypt the contents of the credential object. The exported CLIXML file can't be used on a different computer or by a different user.
- You can then use the 1Password CLI commands without having to worry about Signing In and managing the Session Tokens.
- You can use the module in Demo's and Presentations and not expose your API Keys or Credentials.
- Works in Jupyter Notebook
- Works with Windows PowerShell and PowerShell (6.x+)
Install from the PowerShell Gallery on Windows PowerShell 5.1+ or PowerShell Core 6.x or PowerShell.
Install-Module -name 1Pwd
To use this module you will need:
- A Paid [1Password account] (https://1password.com/sign-up/)
- Your Secret Key or Setup Code
- Your Master Password that you use for accessing your 1Password Vault
- 1Password CLI. Install it in the same directory as your script(s).
Test the 1Password CLI is accessible by running the following command that will return the 1Password CLI version. If you haven't setup credentials yet you will also receive a message to that effect.
.\op.exe --version
The module contains 4 cmdlets.
Import-Module 1Pwd
Get-Command -Module 1Pwd | Sort-Object Name | Get-Help | Format-Table Name, Synopsis -Autosize | clip
Name Synopsis
---- --------
Invoke-1PasswordExpression Invokes a 1Password CLI command.
Set-1PasswordConfiguration Sets the default 1Password Vault and credentials.
Switch-1PasswordConfiguration Changes the 1Password configuration to a different Vault.
Test-1PasswordCredentials Tests if the configured 1Password CLI configuration is valid.
To create a secure profile for use with the 1Pwd Module execute the following PowerShell commands with the user account on the computer that you will be using to retrieve/set 1Password Vault items. This will create the secure configuration under your Windows Profile for the logged in user on computer it was executed on. It can only be opened and the Secret Key and Master Password read using the same account on the same computer.
Update the following with your Sign-In Address and Sign In Account (Email Address) retrieved above. You will be prompted to securely input your Secret Key and Master Password.
$1PSignInAddress = "https://my.1password.com"
$1PSignInAccount = "your@emailaddress.com"
$1PSecretKey = Read-Host "Enter your 1Password SecretKey" -AsSecureString
$1PMasterPassword = Read-Host "Enter your 1Password Master Password" -AsSecureString
Using the information input above the Test-1PasswordCredentials cmdlet is used to validate them and return your account details.
$account = Test-1PasswordCredentials -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword
Having successfully provided and validated your credentials the Set-1PasswordConfiguration cmdlet will securely store the configuration in the logged in users local Windows Profile. When saving a configuration you can use the -default switch to specify that it is the default configuration. It will automatically be retrieved and a session created when the module loads.
v1.x CLI
Set-1PasswordConfiguration -Vault $account.domain -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default
v2.x CLI
Set-1PasswordConfiguration -Vault $account[2].Split(":")[1].trim() -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default
The Switch-1PasswordConfiguration cmdlet allows you to switch vaults/configuration. This is useful if you have multiple accounts. Each configuration needs to be saved using Set-1PasswordConfiguration. When saving a configuration you can use the -default switch with Set-1PasswordConfiguration to specify which is the default configuration that will be loaded when the module loads.
To change the configuration for PersonalVault2 you would use the command.
Switch-1PasswordConfiguration -vault PersonalVault2
To switch to the PersonalVault2 configuration and make it the default use the -default switch.
Switch-1PasswordConfiguration -vault PersonalVault2 -Default
The primary command/cmdlet that you will use after configuration is Invoke-1PasswordExpression.
Invokes 1Password CLI command. Any command that the 1Password v1 CLI supports can be provided.
Any command that the 1Password v2 CLI supports can be provided.
The fundamental difference between the versions of the CLI is the command syntax. 1Password CLI 2 introduces a noun-verb command structure that groups commands by topic rather than by operation.
Invoke-1PasswordExpression "list users"
Invoke-1PasswordExpression "user list"
There is NO NEED to specify the op.exe executable or the --session --cache switches.
List Vaults
Invoke-1PasswordExpression "list vaults"
List Vaults
Invoke-1PasswordExpression "vault list"
Get Item Twitter
Invoke-1PasswordExpression "get item Twitter"
Get Item 'Twitter Other Account' e.g An Item with spaces
Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'"
Get the Twitter Vault Item and return the password
((Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'").details.fields | where-object {$_.designation -eq 'password'} | select-object -property value).value
Get Item Twitter
Invoke-1PasswordExpression "item get Twitter"
Get Item 'Twitter Other Account' e.g An Item with spaces
Invoke-1PasswordExpression "item get 'Twitter - darrenjrobinson'"
Get the Twitter Vault Item and return the password
((Invoke-1PasswordExpression "item get 'Twitter - darrenjrobinson'").fields | where-object {$_.id -eq 'password'} | select-object -property value).value
The public version of v2 of this module inspired by the 1Password Hackathon
#1Password #BuildWith1Password
- Found an issue and want us to fix it? Log it
- Want to fix an issue yourself or add functionality? Clone the project and submit a pull request.
- Any and all contributions are more than welcome and appreciated.