I needed a requirement to programmatically connect to our organization's 1Password subscription and retrieve all vault names along with their UDIDs (Unique Identifiers) for automation and monitoring purposes. The goal was to create a script that could:
- Securely authenticate to our custom 1Password domain (b
earstorage.1password.com) - Handle corporate proxy requirements
- List all accessible vaults with their UDIDs
- Export the information to CSV format for further processing
This seemed like a straightforward task, but it required the right platform and approach to execute reliably, I did start with Windows CLI, but this proved to be, for want of a better word, irritating.
Why Linux for 1Password CLI?
For this automation task, I chose Linux (specifically Kali Linux) as my platform, after giving Windows a go, this decision proved crucial for success, as Linux provides several advantages for command-line automation:
Clean & Reliable Environment
Linux provides a clean, predictable environment where CLI tools work as designed. No interference from corporate security software, no registry complications, no conflicting credential managers.
Straightforward Proxy Handling
Setting proxy variables in Linux is simple and reliable. Corporate environments often require proxy configuration, and Linux handles this elegantly:
export HTTP_PROXY="http://proxy.bear.local:3129"
export HTTPS_PROXY="http://proxy.bear.local:3129"
Native CLI
The 1Password CLI was designed with Unix-like systems in mind. The authentication flow works exactly as documented, providing a clean and reliable experience.
Building the Solution
Authentication Flow
The core authentication logic leverages the 1Password CLI's built-in account management:
# Try signin with account shorthand first
signin_cmd=$(op signin bearstorage 2>&1)
if [[ $signin_cmd == *"ERROR"* ]]; then
echo "Shorthand signin failed, trying interactive..."
signin_cmd=$(op signin 2>&1)
fi
# Execute the signin command
if [[ $signin_cmd == export* ]]; then
eval "$signin_cmd"
echo "✓ Authentication successful"
fi
This approach first attempts to use the account shorthand (if configured), then falls back to interactive signin if needed.
Vault Data Retrieval and Parsing
The script retrieves vault information in JSON format and processes it using native Linux tools:
# Get vault information
vault_json=$(op vault list --format=json 2>&1)
# Parse with jq for clean output
echo "$vault_json" | jq -r '.[] | "Name: \(.name)\nUDID: \(.id)\nDescription:
\(.description // "No description")\nItems: \(.item_count // "Unknown")\n---"'
Using jq for JSON processing provides reliable parsing and flexible output formatting.
CSV Export
The script includes robust CSV export functionality:
# Export header
echo "Name,UDID,Description,ItemCount" > "$export_file"
# Export data with proper CSV formatting
echo "$vault_json" | jq -r '.[] | [.name, .id, (.description // "No description"),
(.item_count // "Unknown")] | @csv' >> "$export_file"
This ensures proper CSV formatting with escaped special characters and quoted fields.
Prerequisites
Before running this script, you need the 1Password CLI tools installed on your Linux machine. For Kali Linux, the installation process is:
# Add 1Password repository key
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg
# Add 1Password repository
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/1password-archive-keyring.gpg]
https://downloads.1password.com/linux/debian/amd64 stable main' | \
sudo tee /etc/apt/sources.list.d/1password.list
# Update package list and install
sudo apt update && sudo apt install 1password-cli
Verify Installation:
op --version
You should see output similar to 2.30.3 confirming the CLI is installed and accessible.
How the Script Works
The script follows a logical progression through several key phases:
Phase 1: Environment Setup
The script begins by configuring the proxy environment variables required for corporate network access:
export HTTP_PROXY="http://proxy.bear.local:3129"
export HTTPS_PROXY="http://proxy.bear.local:3129"
export http_proxy="http://proxy.bear.local:3129"
export https_proxy="http://proxy.bear.local:3129"
These variables ensure that all HTTP/HTTPS traffic from the 1Password CLI routes through the corporate proxy.
Phase 2: CLI Validation
The script verifies that the 1Password CLI is installed and accessible:
if command -v op &> /dev/null; then
version=$(op --version)
echo "✓ CLI detected: $version"
else
echo "✗ 1Password CLI not found!"
exit 1
fi
This prevents execution if the required tools aren't available.
Phase 3: Account Discovery
The script checks what 1Password accounts are already configured:
accounts=$(op account list 2>&1)
echo "Accounts: $accounts"
This helps identify if the target account (bearstorage) is already set up.
Phase 4: Authentication Status Check
Before attempting authentication, the script checks if you're already signed in:
whoami_result=$(op whoami 2>&1)
if [ $? -eq 0 ]; then
echo "✓ Already authenticated as: $whoami_result"
authenticated=true
else
authenticated=false
fi
This avoids unnecessary authentication attempts.
Phase 5: Smart Authentication
If authentication is needed, the script uses a two-tier approach:
- Account Shorthand Method: First tries using the pre-configured account shorthand
- Interactive Method: Falls back to interactive signin if shorthand fails
signin_cmd=$(op signin bearstorage 2>&1)
if [[ $signin_cmd == *"ERROR"* ]]; then
signin_cmd=$(op signin 2>&1)
fi
if [[ $signin_cmd == export* ]]; then
eval "$signin_cmd"
fi
The eval command executes the session export command returned by the CLI.
Phase 6: Vault Data Retrieval
Once authenticated, the script requests vault information in JSON format:
vault_json=$(op vault list --format=json 2>&1)
This returns a JSON array containing all vaults the authenticated user can access.
Phase 7: Data Processing and Display
The script uses jq to parse and format the JSON data for human-readable output:
echo "$vault_json" | jq -r '.[] | "Name: \(.name)\nUDID: \(.id)\nDescription: \
(.description // "No description")\nItems: \(.item_count // "Unknown")\n---"'
This creates a clean, formatted display of each vault's key information.
Phase 8: Export of Vault Data
Finally, the script offers CSV export functionality:
if [[ $export_choice == "y" || $export_choice == "Y" ]]; then
echo "Name,UDID,Description,ItemCount" > "$export_file"
echo "$vault_json" | jq -r '.[] | [.name, .id, (.description // "No description"),
(.item_count // "Unknown")] | @csv' >> "$export_file"
fi
This creates a properly formatted CSV file with timestamps for easy data processing.
The solution works reliably and provides the exact UDID information needed for automation and documentation purposes.
Script : Obtain-VaultUDID.sh
Here's the complete Linux script for retrieving 1Password vault UDIDs, remember before running this, you will need to mark it as executable with this command:
chmod +x Obtain-VaultUDID.shThen you can execute the script below:#!/bin/bash
# 1Password CLI Script for Linux
# Retrieves vault names and UDIDs from 1Password account
echo "1Password CLI for Linux - Vault UDID Retrieval"
echo "=============================================="
echo ""
# Set proxy environment variables for Linux
echo "Setting proxy configuration..."
export HTTP_PROXY="http://proxy.bear.local:3129"
export HTTPS_PROXY="http://proxy.bear.local:3129"
export http_proxy="http://proxy.bear.local:3129"
export https_proxy="http://proxy.bear.local:3129"
echo "✓ Proxy configured: $HTTP_PROXY"
echo ""
# Test CLI installation
echo "1. Testing 1Password CLI..."
if command -v op &> /dev/null; then
version=$(op --version)
echo "✓ CLI detected: $version"
else
echo "✗ 1Password CLI not found!"
echo "Install with: curl -sS https://downloads.1password.com/linux/keys/1password.asc
| gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg"
echo "Or visit: https://developer.1password.com/docs/cli/get-started/"
exit 1
fi
echo ""
# Check existing accounts
echo "2. Checking existing accounts..."
accounts=$(op account list 2>&1)
echo "Accounts: $accounts"
echo ""
# Check current authentication
echo "3. Checking authentication status..."
whoami_result=$(op whoami 2>&1)
if [ $? -eq 0 ]; then
echo "✓ Already authenticated as: $whoami_result"
authenticated=true
else
echo "Not authenticated: $whoami_result"
authenticated=false
fi
echo ""
# Authenticate if needed
if [ "$authenticated" = false ]; then
echo "4. Authentication required..."
echo "Your account details:"
echo " - Sign-in address: https://Bearstorage.1password.com"
echo " - Email: user@company.com"
echo " - Account shorthand: bearstorage (if configured)"
echo ""
# Try signin with account shorthand first
echo "Attempting signin with account shorthand..."
signin_cmd=$(op signin bearstorage 2>&1)
if [[ $signin_cmd == *"ERROR"* ]]; then
echo "Shorthand signin failed: $signin_cmd"
echo ""
echo "Trying interactive signin..."
# Try interactive signin
signin_cmd=$(op signin 2>&1)
if [[ $signin_cmd == *"ERROR"* ]]; then
echo "✗ Signin failed: $signin_cmd"
echo ""
echo "Manual signin required. Please run:"
echo "eval \$(op signin)"
echo "or"
echo "eval \$(op signin bearstorage)"
exit 1
fi
fi
# Execute the signin command
echo "Executing signin command..."
echo "Command to run: $signin_cmd"
if [[ $signin_cmd == export* ]]; then
eval "$signin_cmd"
echo "✓ Signin command executed"
else
echo "Please run this command manually:"
echo "$signin_cmd"
read -p "Have you completed the signin? (y/n): " completed
if [[ $completed != "y" && $completed != "Y" ]]; then
echo "Please complete signin and run script again"
exit 1
fi
fi
# Verify authentication
whoami_check=$(op whoami 2>&1)
if [ $? -eq 0 ]; then
echo "✓ Authentication successful: $whoami_check"
else
echo "✗ Authentication verification failed: $whoami_check"
exit 1
fi
fi
echo ""
# Get vault information
echo "5. Retrieving vault information..."
vault_json=$(op vault list --format=json 2>&1)
if [ $? -eq 0 ]; then
echo "✓ Successfully retrieved vault information"
echo ""
# Parse and display vault information
echo "Vault Information:"
echo "=================="
# Use jq if available, otherwise manual parsing
if command -v jq &> /dev/null; then
echo "$vault_json" | jq -r '.[] | "Name: \(.name)\nUDID: \(.id)\nDescription:
\(.description // "No description")\nItems: \(.item_count // "Unknown")\n---"'
else
# Manual parsing without jq
echo "Raw JSON output (install jq for better formatting):"
echo "$vault_json"
fi
echo ""
# Export option
read -p "Export vault information to CSV? (y/n): " export_choice
if [[ $export_choice == "y" || $export_choice == "Y" ]]; then
timestamp=$(date +"%Y%m%d_%H%M%S")
export_file="1Password_Vaults_${timestamp}.csv"
if command -v jq &> /dev/null; then
# Export with jq
echo "Name,UDID,Description,ItemCount" > "$export_file"
echo "$vault_json" | jq -r '.[] | [.name, .id, (.description // "No description"),
(.item_count // "Unknown")] | @csv' >> "$export_file"
echo "✓ Exported to: $export_file"
else
# Save raw JSON
echo "$vault_json" > "${export_file}.json"
echo "✓ Raw JSON exported to: ${export_file}.json"
echo "Install jq for CSV export: apt-get install jq"
fi
fi
else
echo "✗ Failed to retrieve vault information: $vault_json"
exit 1
fi
echo ""
echo "✓ Script completed successfully!"
# Display summary
echo ""
echo "Summary of retrieved information:"
if command -v jq &> /dev/null; then
vault_count=$(echo "$vault_json" | jq '. | length')
echo "Total vaults: $vault_count"
echo ""
echo "Quick reference:"
echo "$vault_json" | jq -r '.[] | "- \(.name): \(.id)"'
else
echo "Install jq for better summary: apt-get install jq"
fi
This script will prompt you your password and then of the displaying all the vaults - Will ask you if you would like to export them to a file - this is the file with the UDID and vault name.
Incomplete vault list?
If you run the script and realize you are missing quite a few vaults remember that you need to be able to view the bolts to be able to retrieve the information - this needs to apply to the user you are connecting with so if you have manage access to the vault but not view they will be invisible to your user account and therefore the report