I have previously covered this from Linux, however, what if you want to accomplish a bit of 1Password CLI using Powershell.
In this particular episode, I’m looking to extract a list of users assigned to a vault called TechOps what I’m actually looking for is the UDID number of the account and then the account status and what access they have.
First, we need to download the 1Password CLI management utility, that can easily be accomplished by using the official command from 1Password to download the CLI, this will create a folder called "1Password CLI" unless updated:
$arch = (Get-CimInstance Win32_OperatingSystem).OSArchitecture
switch ($arch) {
'64-bit' { $opArch = 'amd64'; break }
'32-bit' { $opArch = '386'; break }
Default { Write-Error "Sorry, your operating system architecture '$arch' is unsupported" -ErrorAction Stop }
}
$installDir = Join-Path -Path $env:ProgramFiles -ChildPath '1Password CLI'
Invoke-WebRequest -Uri "https://cache.agilebits.com/dist/1P/op2/pkg/v2.30.3/op_windows_$($opArch)_v2.30.3.zip" -OutFile op.zip
Expand-Archive -Path op.zip -DestinationPath $installDir -Force
$envMachinePath = [System.Environment]::GetEnvironmentVariable('PATH','machine')
if ($envMachinePath -split ';' -notcontains $installDir){
[Environment]::SetEnvironmentVariable('PATH', "$envMachinePath;$installDir", 'Machine')
}
Remove-Item -Path op.zip
Login to 1Password via CLI
Excellent, when this is complete start a Powershell shell from this folder then run the command to get signed into the service :
Invoke-Expression $(.\op signin --account <tenant_id>)
That should ask you to sign in then complete the MFA with the secret key as below:
Query users with access to the Vault (not quite)
.\op vault user list "Techops"
You immediately get an error with that command like this:
[ERROR] 2025/01/07 11:28:37 "Techops" isn't a vault in this account. Specify the vault with its ID or name.
List all the Vaults
Well, looks like I need to get a list of vaults so I can lookup the Vault and make sure I have the name correct, so I need this command:
.\op vault list
This will give you a list of vaults with their ID values (that long GUID string) as below:
erfqaugadi7njthy4126kndyfu TechOps
hjflow3rkpnfqwqs6eo7nkuem Server Bears
wooj3rab1ta3mryxbpzrrizqm Secret Honey
Query correct Vault Name for Users (again, not quite)
That means the correct command would be "TechOps" as its case sensitive, which I do not know:
.\op vault user list "Techops"
Alternatively we can use the ID to confirm that vault is found like this:
.\op vault get erfqaugadi7njthy4126kndyfu --format=json
That should then return the data in JSON format as below which means we have the correct vault:
{
"id": "erfqaugadi7njthy4126kndyfu",
"name": "TechOps\r",
"content_version": 122,
"created_at": "2022-02-01T06:12:11Z",
"updated_at": "2025-01-02T08:24:33Z",
"items": 1443,
"attribute_version": 1,
"type": "USER_CREATED"
}
Query the users in the Vault (well, nope)
Right now we need to get a list of people assigned to this vault with this command, which should target the users of the vault:
.\op vault user list "TechOps"
Nothing is returned, but why?
Well, the answer is very simple users are assigned to a group and that group is then assigned to the Vault, so this is correct no "users" are assigned to the vault they are assigned to the groups which like outlined earlier is then assigned to the Vault.
Query the group that has access to the vault (yes, correct this time)
This means we need to query the group that has access to the vault to get a list of users
.\op group user list "TechOps Members"
Now we get our list of users
MUJXVCTZXRHC5NFO6Z44RGVIM4 grizzly.brown@croucher.cloud MEMBER
TV2V7LP5FNDCHAE3IBWXGHAZEU kodiak.black@croucher.cloud MEMBER
GE6S4DQRF5FPDGMOIHT5SJRJ3E polar.frost@croucher.cloud MEMBER
SMEBNKSHSJDATJ3XUTQZSEDD6E panda.bamboo@croucher.cloud MEMBER
YANZ4VLB5BDEXFI26KRCZLAJ4E lee@croucher.cloud MANAGER
6SUBULBZWBBQVNNVUSFH6D366Y honey.gold@croucher.cloud MEMBER
4PAF35EZMJHJVKL2GLPCKQYP7Y brown.claw@croucher.cloud MEMBER
Excellent, this is what we were after (the ID is not real its all randomised)