1Password Integration with HashiCorp Vault

- 7 mins

Introduction

With more and more users and organization getting on board the cloud bandwagon, we are seeing more systems and instractures setup being hosted on the cloud. Cloud infrastructure offers a great way to consume these services at scale, however, it also means more passwords and credentials to manage. There are currently many password management tools in the market, which are there to tackle such issues - 1Password being one of them. However, such tools are not entire designed to run cloud native workflows with distributed systems, due to the lack of CLI/API compatabilities. Lots of manual work has to be done for developers or system administrators to consume passwords from 1Password, causing inefficiency and worse still, pose a security flaw in the process.

In 2021, 1Password released Secret Automation workflow feature to address such shortfall. This workflow allows 1Password to be integrated with plugins like HashiCorp Vault, Kubernetes Operators, Ansible etc. This allows users to leverage on current existing workflows with other DevOps tools,making it safer and efficient for applications to consume secrets.

Setting up

Secrets Automation works with an API server (1Passsword Connect) in between your environment and 1Password server as seen below. This in example, I will set up this configuration with 1Password and HashiCorp Vault.

HashiCorp Vault works with a concept called “Secrets Engine”, which are essentially paths where the secrets are stored for different services. It also supports the use of a custom Secrets Engine - in this case, this has already been provided by 1Password. We will go through the steps to set it up below.

Prerequisites

The steps shown in setting up 1Password Secrets Automation Integration with HashiCorp Vault assummes the prerequisites below:

Setting up 1Password Secrets Automation

Steps as documented here: https://support.1password.com/secrets-automation/

Log in to your 1Password account. On the menu bar on the right, click on Integrations > Set up Secrets Automation

Next, set up the environment, give it a name and link it to the vault in 1Password that it has access to.

Then generate the access token. You can set an expiry to the token as best practices, but I am selecting Never here for simplicity.

You should be able to see the generated 1password-credentials.json and Access Token. The JSON credentials is required to deploy 1Password Connect API server, while the access token is required from your backend to communicate with the 1Password API server, in this case is HashiCorp Vault. Save these credentials (in 1Password if you wish), and we are ready to deploy the 1Password API server.

Deploying 1Password Connect server

Next, we’ll have to deploy the 1Password Connect server. You have the option of setting up in Docker container or Kubernetes, for simplicity I am using Docker. Using the provided docker compose file, you will be able to spin up the server. Make sure that the 1password-credentials.json path that is being defined here is correct for your case.

version: "3.4"

services:
  op-connect-api:
    image: 1password/connect-api:latest
    ports:
      - "8080:8080"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "data:/home/opuser/.op/data"
  op-connect-sync:
    image: 1password/connect-sync:latest
    ports:
      - "8081:8080"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "data:/home/opuser/.op/data"

volumes:
  data:

Run docker compose up -d and spin up the containers.

Build 1Password custom plugin in HashiCorp Vault

Next, we have to setup 1Password plugin in HashiCorp Vault. The assets have been provided by 1Password already here: https://github.com/1Password/vault-plugin-secrets-onepassword. Clone this repo to your working directory and follow the instructions given and build the plugin. I am showing the quickstart steps to simplify the HashiCorp deployment process.

go build -o vault/plugins/op-connect .

Next start a dev HashiCorp Vault cluster.

vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins -log-level=debug

Next check that the 1Password plugin is loaded and can be enabled on Vault.

vault secrets enable --path="op" op-connect

Success! Enabled the op-connect secrets engine at: op/
vault secrets list

Path          Type          Accessor               Description
----          ----          --------               -----------
cubbyhole/    cubbyhole     cubbyhole_8d35fd4c     per-token private secret storage
identity/     identity      identity_bb977953      identity store
op/           op-connect    op-connect_1212dd32    n/a
secret/       kv            kv_b6a8c3b2            key/value secret storage
sys/          system        system_8f9851a2        system endpoints used for control, policy and debugging

Plugin Configuration

In order to configure your plugin to access the 1Password Connect API, create a configuration json file with the token that you have generated earlier with 1Password Secrets Automation. I am running my docker container on localhost, so my config looks like the following.


cat config.json 
{
    "op_connect_host": "http://localhost:8080",
    "op_connect_token": "<token from 1Password Secrets Automation in Step 1>"
}

Then write the config above to the 1Password plugin (Secrets Engine) created earlier.

vault write op/config @config.json
Success! Data written to: op/config

Test out the connection

Next, we can check if Vault is able to access passwords stored in 1Password. Here my token is configured to access two Vaults in 1Passwords - Security and super-secret-vault

I have a Vault called super-secret-vault with some secrets stored in it.

If the connection is done right, I should be able to query the secrets from HashiCorp Vault.

vault list op/vaults/
Keys
----
super-secret-vault <some ID>

You can also test out other capabilities that the token can do, including read,write,update,delete items from HashiCorp Vault -> 1Password Vault. Of course subject to permissions which were granted to the token in the first place on 1Password.

vault list op/vaults/super-secret-vault/items/
Keys
----
SomePassword <some ID>
vault read op/vaults/super-secret-vault/items/SomePassword
Key           Value
---           -----
notesPlain    n/a
password      12345

Now your applications can consume secrets from 1Password, thanks to this particular integration.

Key Takeaways

The main benefits of using such an integration is to help 1Password users to easily manage passwords for non-human applications, which is mainly driven by APIs/scripts/cloud native automation. In this case, users can continue to use 1Password as their main password management tool across their daily cloud native operations as well.

That being said, HashiCorp Vault is actually an essential tool in terms of devops related workflows, and is more suitable for such use cases in the first place. It is already capable of performing such integration with applications on its own without 1Password, given its API rich features. Nonetheless, on a more balanced front, 1Password is designed to be more suitable for human users, with a relatively better UI/UX. This secrets automation sort will allow users to have the best of both worlds, and could more beneficial to organizations which are already heavy on 1Password.

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora