1Password Shell Plugins Setup Guide

Date: 2026-02-16 Status: Ready to execute

---

Overview

Configure 1Password shell plugins to auto-inject credentials for CLI tools without manual op item get commands.

Current Status:

• ✅ gh (GitHub CLI) - Configured
• ✅ psql (PostgreSQL) - Configured
• ⏸️ aws - Disabled (using credential_process in ~/.aws/config instead)
• ❌ glab (GitLab CLI) - Need to configure
• ❌ terraform - Optional (conflicts with scripts/terraform/tf-network-env.sh)
• ❌ gcloud - Optional (conflicts with scripts/gcp/gcp-env.sh)

---

Shell Plugin Basics

How It Works

# Without plugin (manual credential retrieval)
export GITLAB_TOKEN=$(op item get "gitlab_pat_org_mirror_github_sync" --fields api_token --reveal)
glab mr list

# With plugin (automatic)
glab mr list  # 1Password intercepts, prompts Touch ID, injects token, runs command

Plugin alias pattern:

alias glab="op plugin run -- glab"

When you run glab, the alias intercepts it, prompts for biometric auth, retrieves credentials from 1Password, injects them as environment variables, then runs the real glab command.

---

Step 1: Add GitLab CLI Plugin

Initialize Plugin

cd ~/src/scandora.net

# Initialize glab plugin
op plugin init glab

Prompts you'll see:

1. Select the 1Password item containing GitLab credentials
2. Choose which vault (likely scandora-automation)
3. Select the field containing the API token

Item to use: gitlab_pat_org_mirror_github_sync in scandora-automation vault

Add Alias to Shell Config

The plugin will output something like:

alias glab="op plugin run -- glab"

Add this to ~/.config/op/plugins.sh:

# Edit ~/.config/op/plugins.sh
alias glab="op plugin run -- glab"

Note: Already done for gh and psql in this file.

Test Plugin

# Reload shell config
source ~/.zshrc

# Test GitLab CLI with plugin
glab auth status

Expected behavior:

1. Touch ID prompt appears
2. Approve with fingerprint
3. GitLab CLI authenticates and shows status

---

Step 2: Optional - Terraform Plugin

Decision: Use Plugin or Keep Custom Helper?

Current: scripts/terraform/tf-network-env.sh loads multiple credentials:

• Cloudflare API token
• PowerDNS API key
• ZeroTier API token

Plugin approach: Would require separate plugin init for each tool, more complex.

Recommendation: Keep tf-network-env.sh script - it's simpler for multi-credential workflows.

If you want the plugin anyway:

op plugin init terraform

# When prompted, choose the Terraform-specific credential item
# This will auto-inject cloud provider credentials when running `terraform`

---

Step 3: Optional - Google Cloud CLI Plugin

Decision: Use Plugin or Keep Custom Helper?

Current: scripts/gcp/gcp-env.sh writes temp file for GOOGLE_APPLICATION_CREDENTIALS

Plugin approach: Injects service account JSON as environment variable

Limitation: gcloud requires a file path via GOOGLE_APPLICATION_CREDENTIALS, not inline JSON.

Recommendation: Keep gcp-env.sh script - it handles the file requirement correctly.

If you want to try the plugin:

op plugin init gcloud

# May not work due to file path requirement
# Test thoroughly before removing gcp-env.sh

---

Current Plugin Configuration

File: ~/.config/op/plugins.sh

export OP_PLUGIN_ALIASES_SOURCED=1
alias gh="op plugin run -- gh"
# alias aws="op plugin run -- aws"  # Disabled - using credential_process instead
alias psql="op plugin run -- psql"
# Add new plugins below:
alias glab="op plugin run -- glab"

Sourced by: ~/.zshrc (lines 64 and 78 - duplicated, should dedupe)

---

Testing Matrix

After configuration, test each plugin:

Tool	Test Command	Expected Behavior
gh	gh auth status	Touch ID → Shows GitHub auth status
psql	psql -h localhost -U joe -d dataeng	Touch ID → Connects to database
glab	glab auth status	Touch ID → Shows GitLab auth status

---

Comparison: Plugins vs. Custom Scripts

When to Use Shell Plugins

✅ Single credential per tool (GitHub, GitLab, individual databases) ✅ Standard CLI tools (gh, glab, aws, psql) ✅ Frequent interactive use (daily CLI operations)

When to Keep Custom Scripts

✅ Multi-credential workflows (Terraform needs CF + PDNS + ZeroTier) ✅ File-based credentials (GCP service account JSON) ✅ Environment-specific configs (dev vs. prod credential switching) ✅ Complex setup (multiple exports, temp file management)

---

Recommended Configuration

Based on your scandora.net workflow:

Tool	Approach	Reason
gh	✅ Plugin	Single GitHub token, frequent use
glab	✅ Plugin	Single GitLab token, CI/CD operations
psql	✅ Plugin	Database access, frequent use
aws	⏸️ credential_process	Already working via ~/.aws/config
terraform	❌ Custom script	Multi-credential requirement
gcloud	❌ Custom script	File path requirement for GOOGLE_APPLICATION_CREDENTIALS

---

Cleanup: Remove Duplicated Source Line

Edit ~/.zshrc:

- source /Users/joe/.config/op/plugins.sh
  alias qwen="~/bin/chat-qwen.sh"
  alias grep='/usr/bin/grep -I'


  # source /Users/joe/.ssh-manager-cli/ssh-manager-completion.bash
  source /Users/joe/.ssh-manager-cli/ssh-manager-completion.zsh

  # Claude Code MCP Servers - GitHub Token
  # Use existing GITHUB_PERSONAL_ACCESS_TOKEN as GITHUB_TOKEN
  export GITHUB_TOKEN=$GITHUB_PERSONAL_ACCESS_TOKEN

  # Home Assistant Long-Lived Access Token
  export HA_LONG_LIVED_TOKEN="..."
- source ~/.config/op/plugins.sh
+ # 1Password shell plugins (loaded once above at line 64)
  export PATH="$HOME/go/bin:$PATH"

Issue: Line 64 and 78 both source the same file (redundant).

---

References

• 1Password Shell Plugins docs: https://developer.1password.com/docs/cli/shell-plugins
• Available plugins: op plugin list (74 plugins available)
• Current config: ~/.config/op/plugins.sh
• Shell config: ~/.zshrc

---

Next Steps:

1. Run op plugin init glab
2. Add alias to ~/.config/op/plugins.sh
3. Test with glab auth status
4. Clean up duplicate source line in .zshrc