1Password Integration with HashiCorp Vault
- 7 minsIntroduction
With more and more users and organization getting on board the cloud bandwagon, we are seeing more systems and instractures setup being hosted on the cloud. Cloud infrastructure offers a great way to consume these services at scale, however, it also means more passwords and credentials to manage. There are currently many password management tools in the market, which are there to tackle such issues - 1Password being one of them. However, such tools are not entire designed to run cloud native workflows with distributed systems, due to the lack of CLI/API compatabilities. Lots of manual work has to be done for developers or system administrators to consume passwords from 1Password, causing inefficiency and worse still, pose a security flaw in the process.
In 2021, 1Password released Secret Automation workflow feature to address such shortfall. This workflow allows 1Password to be integrated with plugins like HashiCorp Vault, Kubernetes Operators, Ansible etc. This allows users to leverage on current existing workflows with other DevOps tools,making it safer and efficient for applications to consume secrets.
Setting up
Secrets Automation works with an API server (1Passsword Connect) in between your environment and 1Password server as seen below. This in example, I will set up this configuration with 1Password and HashiCorp Vault.
HashiCorp Vault works with a concept called “Secrets Engine”, which are essentially paths where the secrets are stored for different services. It also supports the use of a custom Secrets Engine - in this case, this has already been provided by 1Password. We will go through the steps to set it up below.
Prerequisites
The steps shown in setting up 1Password Secrets Automation Integration with HashiCorp Vault assummes the prerequisites below:
- A running HashiCorp Vault instance (Dev Mode is ok, Enterprise is optional) [https://learn.hashicorp.com/tutorials/vault/getting-started-dev-server?in=vault/getting-started)
- 1Password Teams and Business license (I am using the 14 day trial)[https://1password.com/teams/pricing/)
- Docker, Go, Vault CLI installed
- Some working knowledge with HashiCorp Vault
Setting up 1Password Secrets Automation
Steps as documented here: https://support.1password.com/secrets-automation/
Log in to your 1Password account. On the menu bar on the right, click on Integrations > Set up Secrets Automation
Next, set up the environment, give it a name and link it to the vault in 1Password that it has access to.
Then generate the access token. You can set an expiry to the token as best practices, but I am selecting Never here for simplicity.
You should be able to see the generated 1password-credentials.json and Access Token. The JSON credentials is required to deploy 1Password Connect API server, while the access token is required from your backend to communicate with the 1Password API server, in this case is HashiCorp Vault. Save these credentials (in 1Password if you wish), and we are ready to deploy the 1Password API server.
Deploying 1Password Connect server
Next, we’ll have to deploy the 1Password Connect server. You have the option of setting up in Docker container or Kubernetes, for simplicity I am using Docker. Using the provided docker compose file, you will be able to spin up the server. Make sure that the 1password-credentials.json path that is being defined here is correct for your case.
version: "3.4"
services:
op-connect-api:
image: 1password/connect-api:latest
ports:
- "8080:8080"
volumes:
- "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
- "data:/home/opuser/.op/data"
op-connect-sync:
image: 1password/connect-sync:latest
ports:
- "8081:8080"
volumes:
- "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
- "data:/home/opuser/.op/data"
volumes:
data:
Run docker compose up -d
and spin up the containers.
Build 1Password custom plugin in HashiCorp Vault
Next, we have to setup 1Password plugin in HashiCorp Vault. The assets have been provided by 1Password already here: https://github.com/1Password/vault-plugin-secrets-onepassword. Clone this repo to your working directory and follow the instructions given and build the plugin. I am showing the quickstart steps to simplify the HashiCorp deployment process.
go build -o vault/plugins/op-connect .
Next start a dev HashiCorp Vault cluster.
vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins -log-level=debug
Next check that the 1Password plugin is loaded and can be enabled on Vault.
vault secrets enable --path="op" op-connect
Success! Enabled the op-connect secrets engine at: op/
vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_8d35fd4c per-token private secret storage
identity/ identity identity_bb977953 identity store
op/ op-connect op-connect_1212dd32 n/a
secret/ kv kv_b6a8c3b2 key/value secret storage
sys/ system system_8f9851a2 system endpoints used for control, policy and debugging
Plugin Configuration
In order to configure your plugin to access the 1Password Connect API, create a configuration json file with the token that you have generated earlier with 1Password Secrets Automation. I am running my docker container on localhost, so my config looks like the following.
cat config.json
{
"op_connect_host": "http://localhost:8080",
"op_connect_token": "<token from 1Password Secrets Automation in Step 1>"
}
Then write the config above to the 1Password plugin (Secrets Engine) created earlier.
vault write op/config @config.json
Success! Data written to: op/config
Test out the connection
Next, we can check if Vault is able to access passwords stored in 1Password. Here my token is configured to access two Vaults in 1Passwords - Security and super-secret-vault
I have a Vault called super-secret-vault with some secrets stored in it.
If the connection is done right, I should be able to query the secrets from HashiCorp Vault.
vault list op/vaults/
Keys
----
super-secret-vault <some ID>
You can also test out other capabilities that the token can do, including read,write,update,delete items from HashiCorp Vault -> 1Password Vault. Of course subject to permissions which were granted to the token in the first place on 1Password.
vault list op/vaults/super-secret-vault/items/
Keys
----
SomePassword <some ID>
vault read op/vaults/super-secret-vault/items/SomePassword
Key Value
--- -----
notesPlain n/a
password 12345
Now your applications can consume secrets from 1Password, thanks to this particular integration.
Key Takeaways
The main benefits of using such an integration is to help 1Password users to easily manage passwords for non-human applications, which is mainly driven by APIs/scripts/cloud native automation. In this case, users can continue to use 1Password as their main password management tool across their daily cloud native operations as well.
That being said, HashiCorp Vault is actually an essential tool in terms of devops related workflows, and is more suitable for such use cases in the first place. It is already capable of performing such integration with applications on its own without 1Password, given its API rich features. Nonetheless, on a more balanced front, 1Password is designed to be more suitable for human users, with a relatively better UI/UX. This secrets automation sort will allow users to have the best of both worlds, and could more beneficial to organizations which are already heavy on 1Password.
Useful links
- https://www.hashicorp.com/partners/tech/1password#all
- https://medium.com/@nng.grace/automated-kubernetes-secret-injection-with-1password-secret-automation-and-hashicorp-vault-8db826c50c1d
- https://1password.com/products/secrets/integrations/