Load Secret Environment Variables from 1Password

.env-1password

# Load environment secrets with with 1Password CLI Injection
# 
# Used with load_secrets.sh
# source load_secrets.sh

# AWS Service Account Credentials
AWS_ACCESS_KEY_ID={{ op://$OP_VAULT/$INF_PROJECT.aws_access_key/username }}
AWS_SECRET_ACCESS_KEY={{ op://$OP_VAULT/$INF_PROJECT.aws_access_key/password }}

# Project Secrets
GPG_PASSPHRASE={{ op://$OP_VAULT/$INF_PROJECT.gpg_passphrase/password }}

# Implementation Secrets
TF_VAR_gpg_passphrase={{ op://$OP_VAULT/$INF_PROJECT.$INF_IMPLEMENTATION.gpg_passphrase/password }}

.env-config

# Configuration environment variables
# 
# Used with load_secrets.sh
#
# A default template of this file could be tracked in a git repo and individual 
# operators could override default config values where they are specific to them
# such as 1Password account or vault, and project or implementation value used.
#
# Replace xxxxx_placeholder_xxxxx with the config value you wnat to use

# TIP: Finding secret uuid by looking for any entry in your Private vualt with a title containing "aws"
# op account list
# op item list --account "${ONEPASS_ACCOUNT}" --vault Private | grep -i aws
# TIP: Finding field name in entry
# op item get "${AWS_CRED_ONEPASS_UUID}" --account "${ONEPASS_ACCOUNT}" 
# op item get "${AWS_CRED_ONEPASS_UUID}" --account "${ONEPASS_ACCOUNT}" --field "label=${AWS_CRED_ONEPASS_ACCESSID_FIELD_NAME}"

# Infrastructure Configuration
INF_PROJECT="xxxxx_project_name_xxxxx"
INF_IMPLEMENTATION="xxxxx_implementation_name_xxxxx"

# Environment variables to pass to Terraform
TF_VAR_inf_tag="${INF_PROJECT}"
TF_VAR_implementation_tag="${INF_IMPLEMENTATION}"

# 1Password Account/Vault Configuration
OP_ACCOUNT="xxxxx_1password_account_xxxxx"
OP_VAULT="xxxxx_vault_name_xxxxx"

load_secrets.sh

#!/usr/bin/env bash

# Text Color Variables
# ---------------------------------------------------------------
# Reset
Color_Off='\033[0m'       # Text Reset
# Regular Colors
Yellow='\033[0;33m'       # Yellow
YellowBlink='\033[5;33m'  # Yellow (blinking)
Cyan='\033[0;36m'         # Cyan
# Bold
BRed='\033[1;31m'         # Red

# Check to make sure this script is being sourced, if not abort with error
sourced=0
if [ -n "$ZSH_EVAL_CONTEXT" ]; then 
  case $ZSH_EVAL_CONTEXT in *:file) sourced=1;; esac
elif [ -n "$BASH_VERSION" ]; then
  (return 0 2>/dev/null) && sourced=1 
fi

if [ "${sourced}" = "0" ]; then
    echo -e "${BRed}[ERROR] Script must be sourced${Color_Off}"
    echo -e "${YellowBlink}   source ${0##*/}${Color_Off}"
    exit 1
fi



# Load secrets into environment variables for this shell session
# ---------------------------------------------------------------

# Load configuration from .env-config
set -o allexport
source .env-config
set +o allexport

# OP_ACCOUNT="xxxxxx_set_from_.env-config_xxxxxx"

# catch and ignore any SIGINT that hits this script so that it doesn't kill the parent process
trap return 0 SIGINT

# Check if an existing 1Password CLI session exists, otherwise Login to 1Password CLI
if ! op account get --account "${OP_ACCOUNT}" > /dev/null 2>&1; then
    ONEPASS_SIGNIN_SESSION=$(op signin --account "${OP_ACCOUNT}" --raw)
    if [[ ! -z "${ONEPASS_SIGNIN_SESSION}" ]]; then
        export "OP_SESSION_${OP_ACCOUNT}=${ONEPASS_SIGNIN_SESSION}"
    else
        echo -e "${BRed}[ERROR] login failed! ...exiting safely${Color_Off}"
        return 0
    fi
fi

# Use 1Password to inject secrets into environment variables
echo -e "${Cyan}...extracting secrets from 1Password and loading into environment variables...${Color_Off}"
set -o allexport
source <(op inject -i .env-1password --account "${OP_ACCOUNT}" && op signout)
set +o allexport