Skip to content

Instantly share code, notes, and snippets.

@mttjohnson
Last active March 5, 2023 07:02
Show Gist options
  • Save mttjohnson/18b6b981a8244448d7c4a879d7398b81 to your computer and use it in GitHub Desktop.
Save mttjohnson/18b6b981a8244448d7c4a879d7398b81 to your computer and use it in GitHub Desktop.
Load Secret Environment Variables from 1Password
# Load environment secrets with with 1Password CLI Injection
#
# Used with load_secrets.sh
# source load_secrets.sh
# AWS Service Account Credentials
AWS_ACCESS_KEY_ID={{ op://$OP_VAULT/$INF_PROJECT.aws_access_key/username }}
AWS_SECRET_ACCESS_KEY={{ op://$OP_VAULT/$INF_PROJECT.aws_access_key/password }}
# Project Secrets
GPG_PASSPHRASE={{ op://$OP_VAULT/$INF_PROJECT.gpg_passphrase/password }}
# Implementation Secrets
TF_VAR_gpg_passphrase={{ op://$OP_VAULT/$INF_PROJECT.$INF_IMPLEMENTATION.gpg_passphrase/password }}
# Configuration environment variables
#
# Used with load_secrets.sh
#
# A default template of this file could be tracked in a git repo and individual
# operators could override default config values where they are specific to them
# such as 1Password account or vault, and project or implementation value used.
#
# Replace xxxxx_placeholder_xxxxx with the config value you wnat to use
# TIP: Finding secret uuid by looking for any entry in your Private vualt with a title containing "aws"
# op account list
# op item list --account "${ONEPASS_ACCOUNT}" --vault Private | grep -i aws
# TIP: Finding field name in entry
# op item get "${AWS_CRED_ONEPASS_UUID}" --account "${ONEPASS_ACCOUNT}"
# op item get "${AWS_CRED_ONEPASS_UUID}" --account "${ONEPASS_ACCOUNT}" --field "label=${AWS_CRED_ONEPASS_ACCESSID_FIELD_NAME}"
# Infrastructure Configuration
INF_PROJECT="xxxxx_project_name_xxxxx"
INF_IMPLEMENTATION="xxxxx_implementation_name_xxxxx"
# Environment variables to pass to Terraform
TF_VAR_inf_tag="${INF_PROJECT}"
TF_VAR_implementation_tag="${INF_IMPLEMENTATION}"
# 1Password Account/Vault Configuration
OP_ACCOUNT="xxxxx_1password_account_xxxxx"
OP_VAULT="xxxxx_vault_name_xxxxx"
#!/usr/bin/env bash
# Text Color Variables
# ---------------------------------------------------------------
# Reset
Color_Off='\033[0m' # Text Reset
# Regular Colors
Yellow='\033[0;33m' # Yellow
YellowBlink='\033[5;33m' # Yellow (blinking)
Cyan='\033[0;36m' # Cyan
# Bold
BRed='\033[1;31m' # Red
# Check to make sure this script is being sourced, if not abort with error
sourced=0
if [ -n "$ZSH_EVAL_CONTEXT" ]; then
case $ZSH_EVAL_CONTEXT in *:file) sourced=1;; esac
elif [ -n "$BASH_VERSION" ]; then
(return 0 2>/dev/null) && sourced=1
fi
if [ "${sourced}" = "0" ]; then
echo -e "${BRed}[ERROR] Script must be sourced${Color_Off}"
echo -e "${YellowBlink} source ${0##*/}${Color_Off}"
exit 1
fi
# Load secrets into environment variables for this shell session
# ---------------------------------------------------------------
# Load configuration from .env-config
set -o allexport
source .env-config
set +o allexport
# OP_ACCOUNT="xxxxxx_set_from_.env-config_xxxxxx"
# catch and ignore any SIGINT that hits this script so that it doesn't kill the parent process
trap return 0 SIGINT
# Check if an existing 1Password CLI session exists, otherwise Login to 1Password CLI
if ! op account get --account "${OP_ACCOUNT}" > /dev/null 2>&1; then
ONEPASS_SIGNIN_SESSION=$(op signin --account "${OP_ACCOUNT}" --raw)
if [[ ! -z "${ONEPASS_SIGNIN_SESSION}" ]]; then
export "OP_SESSION_${OP_ACCOUNT}=${ONEPASS_SIGNIN_SESSION}"
else
echo -e "${BRed}[ERROR] login failed! ...exiting safely${Color_Off}"
return 0
fi
fi
# Use 1Password to inject secrets into environment variables
echo -e "${Cyan}...extracting secrets from 1Password and loading into environment variables...${Color_Off}"
set -o allexport
source <(op inject -i .env-1password --account "${OP_ACCOUNT}" && op signout)
set +o allexport
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment