These examples are intended to demonstrate how the 1Password command line tool can help you gain visibility and insight into your 1Password account.
This script will create a vault for each vault name in a file passed to the script with the --file= flag. Optionally remove your own access to the vault after creating it by running the script with the --remove-me flag.
- Install 1Password's CLI tool folowing the directions for your operating system here: https://developer.1password.com/docs/cli/get-started
- In the 1Password desktop application enable the integration with the CLI, as documented here: https://developer.1password.com/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration
- Open a terminal window and confirm:
- the 1Password CLI (called
op) is installed and working, and the desktop application integration is enabled, by tryingop signinand signing into the desired 1Password account. - Ensure that you have a version of python installed by running
python --versionorpython3 --version(ideally you have at least python 3.7). - Download this script to a folder on your computer (e.g.,
~/Downloads). - In your terminal, move to that folder (e.g.,
cd ~/Downloads) - Run the script by executing
python3 create_vaults_from_input.py --file=path/to/input/list
By default, when a person creates a vault, they are the "vault creator" and have full permissions for each vault they create. More than likely this will be desirable in your situation.
However, if you'd like to have your access revoked so that you are not directly assigned to the vault after it's created, run the script using the --remove-me flag.
- Note that even if you remove yourself from the vaults, members of the Owners and Administrators groups will still have "Manage Vault" permissions on these vaults, and will be able to manage their own or others' access to them.
- To work around some current rate limiting issues related to permissions commands in the CLI, using the
--remove-meflag will result in the script taking considerably longer to run (the script has an 11 second delay for each vault when modifying permissions to avoid rate limiting).
When run by a member of the Owners group, this script provides the vault name, the number of items in the vault, the last time the vault contents were updated, and list which users and groups have access to that vault along with their permissions.
When run by a non-Owner, it will provide these details for all vaults the user running the script has access to.
When run by a member of the Owners group, this script will remove the export items permission for every vault that every group has access to without exception.
When run by a non-Owner, this script will remove the export permission on vaults that the person running the script also has the manage vault permissions for.
This script, when run by an a user with the manage vault (manage access) permission, will remove or add the specified vault permission(s) for the specified group(s) from all vaults (excluding Private vaults). This could be useful if you are looking to systematically remove the Administrators manage vault (manage access) permission from all created shared vaults, this leaving this permission to the default owners group.
This script, when run by an Owner or Administrator, will change the prefix of all group names according to your specifications. This is particularly helpful if you are needing to change an existing naming scheme.
If you want to add prefixes where one doesn't already exist, then you can modify the sed substitution to: sed 's/^/PREFIX/g' to add a prefix to all groups.
This does not change the name of any built in groups (e.g., "Administrators", "Owners", "Team Members").
This script, when run by an adminstrator, will output all items within the specified scope (e.g., with a specific tag) as a long-formatted CSV. The export excludes any concealed fields such as password fields. This script may be helpful if you need to have someone verify the accuracy of the details of a 1Password item without revealing any secret values stored in that item.
The majority of the scripts here are best if run by someone belonging to the Owners group in 1Password. This is because only the Owners group is guaranteed to have at least manage vault permissions on every shared vault in a 1Password Business account. Running these scripts as a user not in the Owners group may result in incomplete information or in changes not being made for all vaults.
In addition to the examples here, please review the complete documentation at developer.1password.com, especially:
If you use a security information and events monitoring (SIEM) tool, you may be interested in the 1Password Events API.