绝对不要使用会向对话中打印密钥值的 op 命令。应始终直接通过管道传递给使用工具,或使用 wc -c / 脱敏方式来验证而不暴露密钥。
# 错误 — 会将密钥打印到 stdout(请勿运行)
# op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal
# 正确 — 直接通过管道传递给使用工具
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | \
wrangler secret put SECRET_NAME --env ENV
# 正确 — 验证值是否存在而不暴露它
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal 2>/dev/null | wc -c
包含斜杠的条目标题
许多 1Password 条目使用路径式标题(例如 pool-party/testnet-pool-party-public/credentials)。op:// URI 格式无法处理这类标题,因为它使用 / 作为分隔符。
🇺🇸English
1Password CLI (op) — Secure Handling
Core Rule: Never Print Secrets
NEVER use op commands that would print secret values into the conversation. Always pipe directly to the consuming tool or use wc -c / redaction to verify without exposing.
# WRONG — would print secret to stdout (do not run)
# op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal
# RIGHT — pipe directly to consumer
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | \
wrangler secret put SECRET_NAME --env ENV
# RIGHT — verify a value exists without exposing it
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal 2>/dev/null | wc -c
Item Titles with Slashes
Many 1Password items use path-style titles (e.g. pool-party/testnet-pool-party-public/credentials). The op:// URI format with these because it uses as a delimiter.
# 无效 — '/' 分段过多
op read "op://pool-party-testnet/pool-party/testnet-pool-party-public/credentials/PASSWORD"
# 错误:'/' 过多:密钥引用应匹配 op://<vault>/<item>[/<section>]/<field>
# 有效 — 改用条目 ID(避免打印值)
op item get ITEM_ID --vault VAULT --fields label=FIELD --reveal 2>/dev/null | wc -c
发现工作流程
当您不知道条目 ID 时:
# 1. 列出保险库中的条目以查找标题和 ID
op item list --vault VAULT_NAME
# 2. 使用 ID(第一列)进行所有后续读取操作
op item get ITEM_ID --vault VAULT_NAME --fields label=FIELD_NAME --reveal 2>/dev/null | wc -c
从单个条目读取多个字段
# 验证存在哪些字段(安全 — 仅显示标签而非值)
op item get ITEM_ID --vault VAULT_NAME --format json 2>/dev/null | \
python3 -c "import json,sys; [print(f['label']) for s in json.load(sys.stdin).get('fields',[]) for f in [s] if f.get('label')]"
# 将每个字段通过管道传递给其目标
op item get ITEM_ID --vault VAULT --fields label=USERNAME --reveal | consumer_cmd ...
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | consumer_cmd ...
常用管道模式
Cloudflare Workers (wrangler)
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | \
npx wrangler secret put POOL_PARTY_PUBLIC_PASSWORD --env testnet
# BROKEN — too many '/' segments
op read "op://pool-party-testnet/pool-party/testnet-pool-party-public/credentials/PASSWORD"
# ERROR: too many '/': secret references should match op://<vault>/<item>[/<section>]/<field>
# WORKS — use item ID instead (avoid printing values)
op item get ITEM_ID --vault VAULT --fields label=FIELD --reveal 2>/dev/null | wc -c
Discovery Workflow
When you don't know the item ID:
# 1. List items in a vault to find the title and ID
op item list --vault VAULT_NAME
# 2. Use the ID (first column) for all subsequent reads
op item get ITEM_ID --vault VAULT_NAME --fields label=FIELD_NAME --reveal 2>/dev/null | wc -c
Reading Multiple Fields from One Item
# Verify which fields exist (safe — shows labels not values)
op item get ITEM_ID --vault VAULT_NAME --format json 2>/dev/null | \
python3 -c "import json,sys; [print(f['label']) for s in json.load(sys.stdin).get('fields',[]) for f in [s] if f.get('label')]"
# Pipe each field to its destination
op item get ITEM_ID --vault VAULT --fields label=USERNAME --reveal | consumer_cmd ...
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | consumer_cmd ...
Common Piping Patterns
Cloudflare Workers (wrangler)
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | \
npx wrangler secret put POOL_PARTY_PUBLIC_PASSWORD --env testnet
Environment Variable (subshell)
SECRET="$(op item get ITEM_ID --vault VAULT --fields label=TOKEN --reveal 2>/dev/null)"
# Use $SECRET in subsequent commands within the same shell — it won't appear in output
kubectl
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | \
kubectl create secret generic my-secret --from-file=password=/dev/stdin
Verification Without Exposure
# Check a value is non-empty (char count)
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal 2>/dev/null | wc -c
# Compare two sources match (exit code only)
if cmp -s <(op item get ID1 --vault V --fields label=F --reveal 2>/dev/null) \
<(op item get ID2 --vault V --fields label=F --reveal 2>/dev/null); then
echo "match"
else
echo "differ"
fi
Troubleshooting
Error
Cause
Fix
too many '/'
Item title has slashes, op:// can't parse it
Use item ID with op item get
could not find item
Wrong vault or title mismatch
Run op item list --vault VAULT to discover
Empty output
Missing --reveal flag
Add --reveal and pipe to consumer (or `
not signed in
Session expired
Run eval "$(op signin)" (avoid printing the session token)
