Skip to main content
  1. Posts/

Automated Credentials in PowerCLI using 1Password

·854 words·5 mins
Table of Contents

I’m a very security conscious person, which means I use a password manager for all of my credentials, including ones for my home lab. 1Password has been my choice of password manager for awhile and I’ve especially grown to love their CLI capabilities. Even if you don’t use 1Password yourself, many password managers have a similar capability so I urge you to see if yours can do the same thing.

I have one main rule I follow when it comes to credentials in the CLI. Never put your plaintext password in a script or command itself. This means the following examples are big no no’s for me.

PS > # Password in plaintext in a CLI command!
PS > Connect-VIServer -Server "vcenter.sddc.lab" -Username "[email protected]" -Password "P@ssw0rd!"

Name                           Port  User
----                           ----  ----
vcenter.sddc.lab               443   VSPHERE.LOCAL\administrator

# Filename: Get-CountOfVMHosts.ps1
# Gets the number of ESXi hosts managed by this vCenter
$username = "[email protected]"
$password = "P@ssw0rd!" # Password in plaintext in a saved script!
Connect-VIServer -Server "vcenter.sddc.lab" -Username $username -Password $password | Out-Null
Write-Host (Get-VMHost).Count

My issue with these methods is your super-sensitive password is accessible to anyone with access to that script or your command history. The ideal thing would be for PowerShell to retrieve this password from our password manager automatically, instead of having them saved in a script or visible in the command line. With 1Password CLI, we can replace all instances of our password with a secret reference that is automatically replaced with the real password by op.

op inject - Secret Reference in Script #

Using the script example, there are two ways we could handle this. The first is putting secret references directly in the script itself. Then we can use op inject to replace all secret references with the actual secret value. By default, op inject sends this to standard output, so we can simply pipe it into Invoke-Expression to execute the command.

# Filename: Get-CountOfVMHosts.ps1
# Gets the number of ESXi hosts managed by this vCenter
$username = {{ op://Home Lab/vCenter/username }}
$password = {{ op://Home Lab/vCenter/password }} # Password replaced with a secret reference
Connect-VIServer -Server "vcenter.sddc.lab" -Username $username -Password $password | Out-Null
Write-Host (Get-VMHost).Count

PS > op inject --in-file Get-CountOfVMHosts.ps1 | Invoke-Expression
4

Keep in mind that Invoke-Expression runs all commands in your current context. So $password and its contents will still exist in your CLI session. I recommend either clearing the variable at the end of the script, moving the secret reference directly to the Connect-VISever, or just closing the terminal after you’re done.

PS > $password
P@ssw0rd!
PS > Clear-Variable password
PS > $password
PS > # $password no longer contains the plaintext password

# Filename: Get-CountOfVMHosts.ps1
# Gets the number of ESXi hosts managed by this vCenter
# Secret references moved to the command itself
Connect-VIServer -Server "vcenter.sddc.lab" -Username {{ op://Home Lab/vCenter/username }} -Password {{ op://Home Lab/vCenter/password }} | Out-Null
Write-Host (Get-VMHost).Count

PS > op inject --in-file Get-CountOfVMHosts.ps1 | Invoke-Expression
4
PS > $password
PS > # $password was never declared

op run - Secret Reference in Environment Variables #

The alternative and arguably more elegant solution is to use environment variables in your scripts and execute op run to write the secret values to those variables. Now you don’t have to change the script’s secret references for every person who runs it. They can just bring their own .env file with their own secret references. It also has the advantage of masking secrets when they appear in our output. Our script now looks like this.

# Filename: Get-CountOfVMHosts.ps1
# Gets the number of ESXi hosts managed by this vCenter
# Secret references moved to environment variables
Connect-VIServer -Server "vcenter.sddc.lab" -Username $Env:vSphereUsername -Password $Env:vSpherePassword | Out-Null
# Attempts to write our secrets to standard output
Write-Host "Your username and password are: $Env:vSphereUsername + $Env:vSpherePassword"
Write-Host (Get-VMHost).Count

Now we need an environment variable file for op to read. Since $Env:USERNAME already exists in PowerShell, we instead use $Env:vSphereUsername and $Env:vSpherePassword.

# Filename: vsphere_credentials.env
vSphereUsername="op://Home Lab/vCenter/username"
vSpherePassword="op://Home Lab/vCenter/password"

PS > op run --env-file=vsphere_credentials.env -- pwsh -File test_op.ps1
Your username and password are: <concealed by 1Password> + <concealed by 1Password>
4

You can see that not only did the script successfully run, but it also masked our “accidental” output of our username and password. The disadvantage here is that in Windows, op run executes commands in a cmd.exe context. So we need to run another instance of pwsh.exe within op run to execute the script.

op read - Secret Reference Inline #

Now to bring it back to the CLI example, we can use op read to do secrets replacement in-line using PowerShell command substitution.

PS > # Password as a secret reference
PS > Connect-VIServer -Server "vcenter.sddc.lab" -Username $(op read "op://Home Lab/vCenter/username") -Password $(op read "op://Home Lab/vCenter/password")

Name                           Port  User
----                           ----  ----
vcenter.sddc.lab               443   VSPHERE.LOCAL\administrator

And of course, this also works in a script as well.

# Filename: Get-CountOfVMHosts.ps1
# Gets the number of ESXi hosts managed by this vCenter
# Secret references using op read and command substitution
Connect-VIServer -Server "vcenter.sddc.lab" -Username $(op read "op://Home Lab/vCenter/username") -Password $(op read "op://Home Lab/vCenter/password") | Out-Null
Write-Host (Get-VMHost).Count