Skip to content

Provider forces use of biometric unlock, even when desktop app is not installed #204

New issue
New issue
Open
Open
Provider forces use of biometric unlock, even when desktop app is not installed#204
Labels
bugSomething isn't working
@YenTheFirst

Description

@YenTheFirst
YenTheFirst
opened on Oct 29, 2024

Your environment

Terraform Provider Version: 2.1.2

Connect Server Version: N/A

CLI Version: 2.24.0

OS: Linux, ubuntu 24.04, kernel 6.8.0-47

Terraform Version: 1.5.7

What happened?

I configured a simple data source, and executed terraform plan.
It hung for a few seconds, then failed with the error

Unable to read vault, got error: op error: connecting to desktop app: cannot connect to 1Password app, make sure it is running

What did you expect to happen?

I expected it to either prompt for a password, or, to use the results of a recent op signin, and fetch the data.

Steps to reproduce

  1. Install the op cli, but not the desktop app.
  2. Configure a basic data resource in terraform
terraform {
  required_providers {
    onepassword = {
      source = "1Password/onepassword"
      version = "2.1.2"
    }
  }
}

provider "onepassword" {
  account = "https://myaccount.1password.com"
}

data "onepassword_vault" "the-vault" {
  name = "the-vault"
}

data "onepassword_item" "relevant-item" {
  vault = data.onepassword_vault.the-vault.uuid
  title   = "Important Item"
}
  1. disable biometric unlock, login to op, and terraform plan.
$ export OP_BIOMETRIC_UNLOCK_ENABLED=false
$ eval $(op signin)
$ terraform plan
  1. Observe the error
╷
│ Error: Client Error
│ 
│   with data.onepassword_vault.the-vault,
│   on test.tf line 36, in data "onepassword_vault" "the-vault":
│   36: data "onepassword_vault" "the-vault" {
│ 
│ Unable to read vault, got error: op error: connecting to desktop app: cannot connect to 1Password app, make sure it
│ is running
╵
Releasing state lock. This may take a few moments...

Notes

Debugging this with strace, I noticed that OP_BIOMETRIC_UNLOCK_ENABLED was being overriden to true, regardless of whether I'd specified otherwise in the outer environment.

It looks like this is currently encoded here

terraform-provider-onepassword/internal/onepassword/cli/op.go

Line 258 in b942ecf

cmd.Env = append(cmd.Env, "OP_BIOMETRIC_UNLOCK_ENABLED=true")
, to always set OP_BIOMETRIC_UNLOCK_ENABLED=true when using an account URL, instead of connect or a service token.

however, that behavior doesn't seem to be documented, and it's quite inconvenient. The relevant PR (#167) doesn't seem to say why it was added - though I'm unaware if the history goes back further.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions