gitlabcommand-line-interface1password

Authenticate using GitLab CLI (glab) with 1Password and 1Password CLI


I've followed all the steps from 1Password's documentation on setting up authentication with glab (GitLab CLI). Authentication works with commands like glab repo list, returning a list of repositories from my company's self-hosted GitLab server.

My problem is when I attempt to clone a repository over HTTPS from the server, it asks for login instead of using the personal access token I've saved in 1Password.

A disclaimer, we have decided to not setup SSH authentication, but rather use HTTPS via Personal Access Token exclusively.

It's easy to get around this problem by running glab auth login and providing the personal access token. However, this would mean the access token will be saved to ~/.config/glab-cli/config file which would defeat the purpose of saving the personal access token in 1Password in the first place.

Does anyone know how I can get this to work without having to save the token in plain text, setup SSH access using 1Password, or osx keychain?

I'm running on macOS.


Solution

  • When I was running into the issue above, I purposefully disabled osxkeychain by commenting out the following from ~/.gitconfig

    [credential]
      helper = osxkeychain
    

    This was to ensure that the previous personal access token I had were not being used for authentication.

    However, I decided to experiment with osxkeychain and its relationship with 1Password and came across an interesting finding.

    After removing the personal access token from GitLab server web user interface, and clearing the credentials from osxkeychain by running

    git credential-osxkeychain erase \
    host=<self hosted gitlab host> \
    protocol=https
    

    I was still able to clone the repository using glab repo clone <repo path>.

    This means that 1Password manages the osxkeychain entry for the personal access token under the hood to grant access without exposing the value in plain text in a file.

    By re-enabling osxkeychain, I was able to get this working again.