Local secrets automation with 1Password

alex

03 Dec 2024 — 1 min read

One of the annoying things about running the personal cloud is managing secrets. I have two processes running on my laptop: a "client" that uploads local data like contacts + browsing history, and a "server" (meant to live in AWS... eventually) that talks to cloud APIs like Google Calendar. Both parts need to have access to secrets such as AWS API keys, Google credentials, and database passwords.

So far I've just been shuffling these creds around local-only env files tied to a couple of start scripts. It's kind of a pain cause the files can't be shared or committed to GitHub for obvious reasons so I have to walk on glass every time I touch them. And lord help if I accidentally delete one of the files or get them mixed up somehow.

Last week I finally got tired of the nonsense and automated it via 1Pass. Apparently they have a nifty command line package that makes this pretty easy. (And if you're not running 1Pass or some password manager by now... What are you doing?)

First bit is jamming all the local app secrets into their own vault + setting up a service account for it. This makes it so the CLI start scripts just have access to those secrets, vs my entire 1Pass account:

op service-account create local-apps --vault local_apps:read_items

To actually use the secrets, set up a new env file with 1pass urls:

DATABASE_URL="op://local_apps/server_phoenix_settings_prod/database_url"
SECRET_KEY="op://local_apps/server_phoenix_settings_prod/secret_key"
AWS_ACCESS_KEY_ID="op://local_apps/server_aws_prod/username"
AWS_SECRET_ACCESS_KEY="op://local_apps/server_aws_prod/credential"
GOOGLE_CLIENT_ID="op://local_apps/server_google_prod/username"
GOOGLE_CLIENT_SECRET="op://local_apps/server_google_prod/credential"

Then op run injects them into the environment:

op run --env-file="./.deploy.env" -- ./bin/server start

Now the local app secrets have all the usual 1Pass convenience: history tracking, sharing between machines, encryption at rest, etc. Plus I can (finally!) commit the 1pass env files to GitHub as part of the build.

Readwise + Reader API notes

A few weeks back I switched from Raindrop to Readwise for my reading, highlights, and related notes. The main reason for switching was the Kindle integration, but part of my criteria is an API integration where I can automatically collect + archive the data into my personal cloud. It ended up

Outcome Oriented Communities

I've got mixed feelings about the word "community," at least in the context of technology and startups. On the one hand, I more or less grew up on the internet. If it weren't for the niche websites, forums, and IRC channels + the friends I

Extracting Brave browsing history

As part of building my personal cloud, I wanted to back up my browser history. This is useful for info mining and search purposes, but also because Brave (or Chromium?) starts dropping data after 90 days. Who knew. The 90 day limit is hard-coded, so data loss is unavoidable without

Focusing and a technical "felt sense"

I started reading Focusing a few weeks back after stumbling into self-help (or do we call it "lifestyle design" now?) twitter. The book offers the idea of a "felt sense" of problems where the body knows something is off, separate from and unaffected by any mental

Read more

Readwise + Reader API notes

Outcome Oriented Communities

Extracting Brave browsing history

Focusing and a technical "felt sense"