Add a new 1Password Connect server

This document describes how to set up a new 1Password Connect server to provide static secrets for one or more Phalanx environments. See Static secret sources for more background.

SQuaRE-run Phalanx environments already have 1Password Connect servers set up. The one in the roundtable-dev environment serves the vaults for development environments, and one in the roundtable-prod environment serves the vaults for production environments.

When following these instructions, you will be creating a new Secrets Automation workflow. You will need to have permissions to create that workflow for the vault for your environment.

Warning

Currently, only rra has appropriate permissions in the SQuaRE 1Password vaults to set up new secrets automation workflows. If someone else needs to follow these steps, you may first need to grant them additional permissions in 1Password.

Create the workflow

In the following steps, you will create a 1Password Secrets Automation workflow for the 1Password vault for your environment, and save the necessary secrets to another 1Password vault.

  1. Log on to the 1Password UI via a web browser.

  2. Click on Integrations in the right sidebar under LSST IT.

  3. Click on the Directory tab at the top of the screen.

  4. Under Infrastructure Secrets Management click on Other.

  5. Click on Create a Connect server.

  6. Under Environment Name, enter RSP environment where environment is the Phalanx environment in which this 1Password Connect server will be running (not the vaults that it will serve). Then, click Choose Vaults and select the vaults that should be accessible through this 1Password Connect server. Click Add Enviroment to continue.

  7. Next, 1Password wants you to create an access token for at least one environment. This is the token that will be used by the Phalanx command-line tool to access secrets for that environment. It will have access to one and only one 1Password vault.

    Under Token Name, enter the name of the environment the token should have access to. Leave Expires After set to Never. Click Choose Vaults and choose the vault corresponding to that environment. Click Issue Token to continue.

  8. Next to the credentials file, click Save in 1Password, change the title to 1Password Connect credentials (environment) (with environment set to the environment in which the 1Password Connect server will be running), select the SQuaRE vault, and click Save. Then, next to the access token, click the clipboard icon to copy that token to the clipboard.

  9. Click View Details to continue. Go back to home by clicking on the icon on the upper left.

  10. Go to the SQuaRE vault, find the item RSP 1Password tokens, and edit it. Add the token to that item as another key/value pair, where the key is the short name of the enviroment. Mark the value as a password.

  11. Confirm that the new 1Password Connect credentials item created two steps previous exists. You will need this when creating the 1Password Connect server. You can download it to your local system now if you wish.

Create the Phalanx configuration

In the following steps, you’ll deploy the new 1Password Connect server.

  1. Download the file in the 1Password Connect credentials (environment) item in the SQuaRE vault. It will be named 1password-credentials.json.

  2. Encode the contents of that file in base64.

    base64 -w0 < 1password-credentials.json; echo ''
    
    base64 -i 1password-credentials.json; echo ''
    

    This is the static secret required by the 1Password Connect server.

  3. If you are following this process, you are presumably using 1Password to manage your static secrets. Go to the 1Password vault for the environment where the 1Password Connect server will be running. Create a new application secret item for the application onepassword-connect (see Add a new static secret for more details), and add a key named op-session whose value is the base64-encoded 1Password credentials.

  4. Synchronize secrets for that environment following the instructions in Sync secrets for an environment.

Note

That final step assumes that the 1Password Connect server for the environment where you’re deploying a new 1Password Connect server is running elsewhere. In some cases, such as for the SQuaRE roundtable-prod and roundtable-dev environments, the 1Password Connect server for that environment runs in the environment itself.

In this case, you won’t be able to use phalanx secrets sync because the 1Password Connect server it wants to use is the one you’re trying to install. Instead, follow the bootstrapping instructions for onepassword-connect.