Grab latest AWS credential from Vault, add it to 1pass, and generate a link for the user

vault21pass.sh

#!/bin/bash -ex
#
# Get an AWS secret from Vault and send a temporary 1Password link to a user
#
# See:
#   * https://1password.com/downloads/command-line/
#   * https://developer.hashicorp.com/vault/docs/commands
#
ONEPASS_VAULT_NAME="my1passvault"
VAULT_ADDR="https://vault.example.com"

VAULT_SECRET_NAME="$1"
EMAIL="$2"
if [[ -z $VAULT_SECRET_NAME ]] || [[ -z $EMAIL ]]; then
  echo "Syntax: $0 <aws_account_name> <email>"
  exit 1
fi

vault_aws_static_cred_path="aws_account/static-creds"
secrets=$(vault read -format=json "${vault_aws_static_cred_path}/${VAULT_SECRET_NAME}")
access_key_id=$(echo $secrets | jq .data.access_key | tr -d '"')
secret_key=$(echo $secrets | jq .data.secret_key  | tr -d '"')
onepass_secret_name="${VAULT_SECRET_NAME} $(date +%s)"

echo "Creating item in 1pass..."
op item create \
  --category="API Credential" \
  --title="${onepass_secret_name}" \
  --vault="${ONEPASS_VAULT_NAME}" \
  --url "${VAULT_ADDR}" \
  --tags "vault" \
  "username=${access_key_id}" \
  "credential=${secret_key}" \
  >/dev/null

echo "***********************************************************************************"
echo
echo "Hello! This message is to let you know that the AWS credential for $VAULT_SECRET_NAME"
echo "has been rotated. Please find below a link to the new secret. The link is valid for 3 days."
echo
echo "The old secret will be deactivated permanently in 7 days."
echo
echo "1password link:"
echo

op item share \
  "${onepass_secret_name}" \
  --vault ${ONEPASS_VAULT_NAME} \
  --emails ${EMAIL} \
  --expires-in 3d

echo "***********************************************************************************"