1Password · ag-adampike · Feb 8, 2023 · Feb 8, 2023 · Feb 8, 2023 · Feb 9, 2023
diff --git a/vault-management/README.md b/vault-management/README.md
@@ -0,0 +1,32 @@
+# Vault management examples
+
+## Introduction
+
+This folder includes example scripts for managing vaults with 1Password CLI.
+
+## Scripted vault provisioning
+
+### [`vault-provisioning.sh`](./vault-provisioning.sh)
+
+Group provisioning can be automated using SCIM provisioning (see [Automate provisioning in 1Password Business using SCIM](https://support.1password.com/scim/)), but the SCIM protocol does not have any concept of vaults. This script can be used to automate vault creation.
+
+The script creates a vault that will be shared with a 1Password group, with access by some requesting team member and an approving manager, which can be uniquely set for each.
+
+An example use case is using a SOAR tool to request, approve, and provision a directory group along with an associated vault for a team or department. The group can be assigned to 1Password using SCIM; this script can be used alongside SCIM provisioning to create the associated vault.
+
+This script reads the account password from `stdin`, for example:
+
+```sh
+echo $ACCOUNT_PASSWORD | ./vault-provisioning.sh
+```
+
+Other inputs can be consumed from the environment and/or supplied inline, e.g.:
+
+```sh
+echo $ACCOUNT_PASSWORD | \
+    VAULT_NAME="A new vault" \
+    VAULT_DESCRIPTION="A helpful description or some other reference." \
+    ./vault-provisioning.sh
+```
+
+The script assumes that 1Password CLI has already been intialized on the device ahead of running the script (see [Sign in to your 1Password account manually](https://developer.1password.com/docs/cli/sign-in-manually#add-an-account)).
diff --git a/vault-management/vault-provisioning.sh b/vault-management/vault-provisioning.sh
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+# This example script automates vault provisioning based on these inputs:
+# 
+# - VAULT_NAME: the desired name of the vault to be created
+# - VAULT_DESCRIPTION: text to describe the purpose of the vault
+# - REQUESTER_EMAIL: 1Password email of a team member who is requesting a vault
+# - REQUESTER_PERMISSIONS: vault permissions to be assigned to the requester
+# - MANAGER_EMAIL: the team member who is approving the vault request
+# - MANAGER_PERMISSIONS: vault permissions to be assigned to the approver
+# - GROUP_NAME: the name of a 1Password group
+# - GROUP_PERMISSIONS: vault permissions to be assigned to the group
+#
+# Permissions should be a comma-separated string. See:
+# - https://developer.1password.com/docs/cli/vault-permissions
+# - `op vault user grant --help`
+# - `op vault group grant --help`
+#
+# The script assumes that 1Password CLI has been initialized on the device. 
+# The account password must be input from stdin.
+
+# Use permissions from environment or fallback to below values
+export REQUESTER_PERMISSIONS=${REQUESTER_PERMISSIONS:-"manage_vault"}
+export MANAGER_PERMISSIONS=${MANAGER_PERMISSIONS:-"allow_viewing,allow_editing"}
+export GROUP_PERMISSIONS=${GROUP_PERMISSIONS:-"allow_viewing,create_items,edit_items,archive_items,copy_and_share_items"}
+
+extract_id_from_json () {
+    echo "$@" | jq -r '.id'
+}
+
+grant_permissions () {
+    op vault ${context} grant --vault "$vault_id" \
+        --${context} "$1" \
+        --permissions "$2" \
+        --no-input \
+        --no-color \
+        --session "$session_token"
+}
+
+revoke_user () {
+    op vault user revoke --vault "$vault_id" \
+        --user "$1" \
+        --permissions allow_viewing,allow_editing,allow_managing \
+        --no-input \
+        --no-color \
+        --session "$session_token"
+}
+
+main () {
+    # Get account password from stdin
+    account_password="$(cat)"
+
+    # Sign in and save session token
+    session_token=$(echo $account_password | op signin --raw)
+
+    # Exit if sign-in fails
+    if [ $? -gt 0 ]
+    then
+        exit $?
+    fi
+
+    # Create vault with default permissions and store JSON object from output
+    vault_json=$(op vault create "$VAULT_NAME" \
+        --description "$VAULT_DESCRIPTION" \
+        --format json \
+        --no-color \
+        --session "$session_token")
+
+    # Get and store the vault UUID
+    vault_id=$(extract_id_from_json "$vault_json")
+
+    # Add requester permissions
+    context="user" grant_permissions "$REQUESTER_EMAIL" "$REQUESTER_PERMISSIONS"
+
+    # Add approving manager permissions
+    context="user" grant_permissions "$MANAGER_EMAIL" "$MANAGER_PERMISSIONS"
+
+    # Check for and save group based on name
+    op_group_json=$(op group get "$GROUP_NAME" \
+        --format json \
+        --no-color \
+        --session "$session_token")
+
+    op_group_id=$(extract_id_from_json "$op_group_json")
+
+    # Add group permissions
+    context="group" grant_permissions "$op_group_id" "$GROUP_PERMISSIONS"
+
+    # Get signed in user details
+    op_user_json=$(op user get --me \
+        --format json \
+        --no-color \
+        --session "$session_token")
+
+    # Get signed in user UUID
+    op_user_id=$(extract_id_from_json "$op_user_json")
+
+    # Remove vault creator from vault
+    revoke_user "$op_user_id"
+}
+
+main "$@"