azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate credentials to 1Password: 58 items across 4 vaults

Browse Source 
- Created 4 new vaults: Infrastructure (16), Clients (27), Projects (10), MSP Tools (5)
- Replaced credentials.md with op:// reference version (no plaintext secrets)
- Updated CLAUDE.md with 1Password access instructions for all workstations
- Service account (Agentic_Cli) for non-interactive CLI access

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-03-24 13:46:48 -07:00
parent d95251d880
commit 0ca5b2b73d
3 changed files with 315 additions and 1024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
session-logs/2026-03-24-session.md
View File

@@ -231,3 +231,57 @@ joser's phone immediately stopped prompting for MDM after re-adding the Lonestar
- `/home/guru/ClaudeTools/.claude/commands/1password.md` -- NEW, 1Password slash command for Claude Code
- `/home/guru/ClaudeTools/.claude/skills/1password/scripts/` -- NEW, extracted helper scripts (check_setup.sh, store_secret.sh, env_from_op.sh, store-mcp-credentials.sh, launch-in-terminal.sh)
- `/home/guru/ClaudeTools/.claude/skills/1password/references/` -- NEW, extracted reference docs (secret_references.md, integrations.md, op_commands.md)
---
## Update: 1Password Credentials Migration
### Summary
Migrated all credentials from plaintext credentials.md into 1Password. Created 58 items across 4 new vaults. Replaced credentials.md with op:// reference version.
### 1Password Vaults Created
| Vault | Items | Contents |
|-------|-------|----------|
| Infrastructure | 16 | Servers (GuruRMM, Jupiter, IX, pfSense, etc.), services (Gitea, NPM, Seafile, Cloudflare, Matomo), service account token |
| Clients | 27 | Neptune, Dataforth infra (ESXi, AD1/AD2, D2TESTNAS, UDM, PBX), M365 tenants (MVAN, BG Builders, CW Concrete, Dataforth, heieck), VWP, Khalsa, Scileppi, Lonestar, Peaceful Spirit VPN, Grabb & Durando |
| Projects | 10 | ClaudeTools (DB, encryption key, API auth), GuruRMM (dashboard, DB, API, Entra SSO, CI/CD, Glaztech), GuruConnect DB |
| MSP Tools | 5 | Syncro, Autotask, CIPP, Claude-MSP-Access (Graph API), ACG-MSP-Access (Google Workspace) |
### Service Account
- **Name:** Agentic_Cli
- **Token stored:** op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential
- **Access:** Read & Write on Infrastructure, Clients, MSP Tools. **Read-only on Projects** (immutable after creation -- needs new SA to fix)
- **Usage:** `export OP_SERVICE_ACCOUNT_TOKEN="token"` then `op read "op://..."` without biometric
- **Note:** Service account permissions are immutable after creation. To change, must delete and recreate.
### Key Decisions
- **Vault organization:** MSP-oriented (Infrastructure/Clients/Projects/MSP Tools) rather than per-client
- **credentials.md strategy:** Replaced with op:// references -- file stays as documentation, actual secrets only in 1Password
- **Service account:** Created for non-interactive CLI access, avoids biometric prompt on every op command
- **Backup:** Original credentials.md saved as credentials.md.bak (to be deleted after verification)
### 1Password CLI Notes
- **Version:** 2.32.1
- **Account:** mike@azcomputerguru.com (my.1password.com)
- **Desktop app integration:** Prompts for biometric auth every CLI call (10min timeout)
- **Service account:** Bypasses biometric entirely via OP_SERVICE_ACCOUNT_TOKEN env var
- **Service account limitations:** Cannot access Private vault, permissions immutable after creation
- **Fish config (CachyOS):** Add `set -gx OP_SERVICE_ACCOUNT_TOKEN "token"` to ~/.config/fish/config.fish
### Credentials Referenced
- 1Password CLI: op (v2.32.1)
- Service Account Token: ops_eyJ... (stored in 1Password itself)
- All credentials from original credentials.md (58 items total)
### Files Changed
- `credentials.md` -- Replaced with op:// reference version (no plaintext secrets)
- `credentials.md.bak` -- Backup of original plaintext version (DELETE after verification)
- `.claude/CLAUDE.md` -- Updated with 1Password access instructions, /1password skill reference
- `credentials.op.md` -- Intermediate draft (merged into credentials.md)
### Pending/Incomplete
1. **Projects vault write access** -- Service account has read-only. Needs new SA with write perms to fix.
2. **Other machines setup** -- Install op CLI + set OP_SERVICE_ACCOUNT_TOKEN on Mac and Windows workstations
3. **Fish config** -- Add OP_SERVICE_ACCOUNT_TOKEN to ~/.config/fish/config.fish on CachyOS
4. **Delete credentials.md.bak** -- After verifying all op:// refs resolve correctly
5. **launch-in-terminal.sh** -- Needs Linux adaptation (currently macOS-only osascript)