SSH Keys

[andreroggeri]

Summary

I couldn't find any example on how to create/retrieve SSH keys. The only issue mentioning it is this one, but I see that the API already supports other types of items.

curl -H "Authorization: Bearer $(cat op_token)" local_op_server/v1/vaults/:vault_id/items/:item_id
{"additionalInformation":"SHA256:h8SXUtOpl5UzEhV3nEjWNDQmxdZHrk7bgHCkpqsSsxs","category":"SSH_KEY","createdAt":"2023-03-11T18:36:38Z","fields":[{"id":"notesPlain","label":"notesPlain","purpose":"NOTES","type":"STRING"},{"id":"public_key","label":"public key","type":"STRING","value":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLHciYuL95p0a+nzB8BA7oSoePLmYh2suG3beiUI1pz"},{"id":"fingerprint","label":"fingerprint","type":"STRING","value":"SHA256:h8SXUtOpl5UzEhV3nEjWNDQmxdZHrk7bgHCkpqsSsxs"},{"id":"private_key","label":"private key","type":"SSHKEY","value":"-----BEGIN PRIVATE KEY-----\nMFMCAQEwBQYDK2VwBCIEIBH6rPUQbzw8aFbInex1xcQCXg4PdzzmF+Ur1wY6expK\noSMDIQASx3ImLi/eadGvp8wfAQO6EqHjy5mIdrLht23olCNacw==\n-----END PRIVATE KEY-----\n"},{"id":"key_type","label":"key type","type":"STRING","value":"ed25519"}],"id":":vault_id","lastEditedBy":":uid","title":"SSH Key","updatedAt":"2023-03-11T18:36:38Z","vault":{"id":"vault_id","name":"Terraform"},"version":1}

Use cases

Create and retrieve private/public keys for deployed applications

[jeffgus]

Today I was playing around with this provider to see what I could do with it. I was able to import a ssh_key item into Terraform, but I can't set that type in TF. The error is:

│ Error: expected category to be one of [login password database], got ssh_key

The functionality isn't there yet. It would be nice to be able to create a new key for an AWS instance and save it in 1password for others on my team to access.

[Neol3108]

I also really would like to be able to create SSH Keys in 1P from Terraform. Is there any update on this? Will it ever get added? PS: new to this provider, don't know how actively it is maintained

[FracKenA]

I also really would like to be able to create SSH Keys in 1P from Terraform.

So, 1Pw shouldn't be the item generating the keys. Use the below provider to generate the keys, it is the TLS provider from hashicorp and it works great, the issue is that once it gets created, we need to be able to push it to 1Pw.

https://registry.terraform.io/providers/hashicorp/tls/latest/docs

[Neol3108]

@FracKenA that's what I meant by creating: creating the one password item with type ssh key. Not generating

[Omicron7]

I attempted to implement ssh keys but ran into an issue with the underlying Connect API. https://github.com/1Password/connect/issues/77

I was able to successfully implement a DataSource (data "onepassword_item" "key" { ... }). If this would be helpful to anyone, I can submit a Pull Request.

[CamiloDFM]

@FracKenA The issue with the tls_private_key resource (the one used for SSH key generation) is the fact that the SSH key is kept in the state in plain text - see the Security Notice here: https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key

[shadshar]

I also really would like to be able to create SSH Keys in 1P from Terraform.

So, 1Pw shouldn't be the item generating the keys. Use the below provider to generate the keys, it is the TLS provider from hashicorp and it works great, the issue is that once it gets created, we need to be able to push it to 1Pw.

https://registry.terraform.io/providers/hashicorp/tls/latest/docs

I was looking for this functionality right now, and I very definitely want 1password to generate the SSH keys for me, and have that functionality available to me via Terraform. Use case:

• Generate the ssh key in 1p. It has a button to do that in the UI, anyway. It now becomes available through the built-in ssh agent.
• Generate a ssh key resource in $some_cloud_provider. Push the public key of the newly generated key into that.
• Set up a bunch of compute instances that automatically get to use that key

I would now have a freshly generated ssh key pair that is accessible to me, without the private key touching my hard drive: not in the .ssh directory, not in the terraform state, not anywhere else. This is exactly what I want.

That would be great for setting up fresh labs for workshops, for example, especially with 1p's granular sharing abilities. It could also help with rotating SSH keys by simple changing the key in 1password, assuming Terraform can pick up on that change and deploy the fresh keys accordingly.