VSC 1Password Debug

[Balaraju-Muvva]

Summary

I've been looking to integrate the secret provision from op run -- into vscode, so I can start using it for my local development.I am using 1Password plugin for vscode that is documented here.However, there doesn't seem to be a way to integrate a tool like this (that I can think of) into vscode at the moment - specifically vscode-python.And unable to inject variables into runtime without prefix op run -- and it seems there is no option available for this.

Use cases

• I Provide the secret references in .env of the format op://<vault-name>/<item-name>[/<section-name>]/<field-name>
• The main the cause here is when Inject variables into runtime without the prefix of op run (using debugger), not able to inject the variables using debugger and it seems there is no option available for the debugger.

Prior Work

I have investigated a lot If a similar feature was implemented for another language, but nothing found on this issue.

References

• Extension 1Password page: https://developer.1password.com/docs/vscode/
• Forum of 1Password: https://1password.community/categories/cli

[MichaelMHoff]

We have the same issue. How would one automatically resolve environment variables with op references when running a given program? Creating a resolved environment once and keeping it in the file-system seems possible but cumbersome and might easily lead to leaked secrets.

[NielsKorschinsky]

We are highly interested in having a option to use 1Password in VSCode, however the debug is butter and bread. Without a debug integration, it is not possible to use it without still saving clear text passwords.
Please add this integration or describe how to use it with the debugger :)

[florisvdg]

@MichaelMHoff @NielsKorschinsky Which debugger are you using?

Most tools allow you to configure the executable that's being run by VS Code, so you could create an op run shim:

#!/bin/sh
op run -- <whatever the original command was> $@

And in VS Code, point to the location of this shim.

[NielsKorschinsky]

We are using the classic launch.json (Python) of VSC.
That sounds very interesting, I tried already to achieve such thing but gave up after a few hours of googeling SOF.

Do you might have an example there?

Example launch:

{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Program_Name",
            "type": "python",
            "request": "launch",
            "program": "${cwd}/main.py",
            "console": "integratedTerminal",
            "justMyCode": true,
            "args": [
                "first-arg"
                "--second_arg"
                "arg_value"
            ]
        },
]

[NielsKorschinsky]

I was able to replace the .venv/bin/python3.9 file using following scrip, made executeable:

#!/bin/sh
op run -- python3.9_org $@

However the debugger is getting a timeout to connect - It is missing some kind of response.
Edit: now it started to give a "connection refused".
It would be nice if the Plugin could seamlessly integrate here as this is a major usecase.

[NielsKorschinsky]

For everyone else, who might want to spend more time on this - I found probably a solution but I currently don't have the time to try it out.

https://stackoverflow.com/a/57278669

Basically it needs to support -c "import sys;print(sys.executable)" and be able to run pythonFiles\interpreterInfo.py in order to find out interpreter details that are needed.

[MichaelMHoff]

Hey guys, many thanks for the inputs and the research. I think I could make it work, combining everything from above:

#!/bin/sh

PYTHON=$(dirname $(realpath ./python3))/python3-core

if ENV | grep -q "op://"; then
  # if environment contains any 1Password references...
  op run --no-masking -- "$PYTHON" "$@"
else
  "$PYTHON" "$@"
fi

It appears that the quotes around $@ are sufficient to pass everything (as-is) along to the actual python interpreter.

Use this script (made executable, chmod +x) as a replacement for python3 in your venv/bin and rename the old python3 to python3-core.
Then, configure this python3 as your interpreter in VS code and use op:// references in the env: {} part of your launch configurations.

I am using a Mac, so I figure realpath would be readlink -f for Linux-based systems.

[edit: after it worked initially, the launch now simply quits without further information. Still needs debugging...]

[jodyheavener]

Hi all, thanks for this awesome discussion! There's a lot of good information here, and I'm compiling all of it to put on our team's radar. Adding a debugger component to the VS Code extension is not currently on our roadmap but this is all super helpful in informing what we work on next in the extension. Thank you!

[NielsKorschinsky]

@MichaelMHoff thanks a lot for this testing! I will test that too again, however my initial test proven difficult in combination with pylance and such tools, so I really hope for a solution of the 1 password team.

@jodyheavener Thanks for getting this on your list. I really think such an native integration would be very important and helpful as this enables teams to go end-to-end from developing, testing, to deploying without having passwords in clear text.

[sultanofcardio]

I'm not sure if 1Password has come around on putting this in their roadmap but in the meantime as a workaround, I've found it effective to launch VS Code using op run, after which the environment variables will be available to any sub-processes launched by VS Code (including the debugger).

# Inside the project directory
op run --env-file .env -- code .

Since this largely removes the need for the .env file after VS Code is launched, it'd be nice if the argument to --env-file could be taken directly from 1Password.

[hoetmaaiers]

@sultanofcardio this is indeed a workaround, hence not ideal.

@jodyheavener is this workaround the best we can get to make 1Password secrets usable inside the VSCode debugger or do you know of any other ways combining VSCode (or any IDE?) and 1Password secrets?

[olieydt]

My workaround for debugging tests:

in launch.json

{
            "name": "debug",
            "type": "debugpy",
            "request": "launch",
            "program": "${workspaceFolder}/.vscode/debug_launcher.py",
            "args": [
                "${file}"
            ],
            "console": "integratedTerminal",
            "justMyCode": false,
            "cwd": "${workspaceFolder}",   
},

Create a file called debug_launcher.py in .vscode folder:

import os
import subprocess
import sys
import pytest

# Get the environment variables using op
env_process = subprocess.run(
    ['op', 'run', '--env-file=./.env.1pass', '--', 'env'],
    capture_output=True,
    text=True
)

# Parse the environment variables
for line in env_process.stdout.splitlines():
    if '=' in line:
        key, value = line.split('=', 1)
        os.environ[key] = value

# Run pytest with the updated environment
pytest_args = ['--no-cov'] + sys.argv[1:]
pytest.main(pytest_args)

Set all your env variables in a file called .env.1pass
ex:

API_KEY="op://api/API_KEY/credential"
SECRET_KEY="op://api/SECRET_KEY/credential"