Load secrets from 1password lazily on-demand

[devth]

Curious how people are handling secrets. I was able to pull my api key from 1password like this:

  {
    "frankroeder/parrot.nvim",
    event = "VeryLazy",
    dependencies = { 'ibhagwan/fzf-lua', 'nvim-lua/plenary.nvim', 'mrjones2014/op.nvim' },
    config = function()
      local xai_api_key = require("op").get_secret("xAI", "api_key_neovim")
      require("parrot").setup {
        -- Providers must be explicitly added to make them available.
        providers = {
          xai = {
            api_key = xai_api_key,
          },
        },
      }
    end,
  },

and I was hoping it'd only prompt lazily / on demand as soon as I invoke Prt but it prompts on vim startup, which is disruptive when I'm quickly launching vim to edit a single file, as is common in my daily workflow, since it asks me the authenticate 1password each time.

Any ideas on how to make this more on-demand?
Alternatively: how are people managing their secrets for this kind of stuff?

[frankroeder]

Hi @devth, searching GitHub for this plugin provides you with a lot of configurations: https://github.com/search?utf8=%E2%9C%93&q=frankroeder%2Fparrot.nvim+api_key&type=code&p=3.

If you pass a Lua table as the value for the api_key, it will get evaluated as late as possible - hence not on startup. In your case, I guess that you are immediately calling your CLI or whatever when shooting up vim with the require("op").get_secret("xAI", "api_key_neovim") call.

From what I see in the search results, it is a mixture of simple env reads to advanced shell commands. I mean, it's Lua, so you can do whatever you want!

[devth]

Thanks! I'll give this a whirl.

[devth]

Hmm, no luck. Not exactly sure what you mean by passing a Lua table as the value for api_key. I tried a few things like this:

    config = function()

      local function get_xai_api_key()
        return require("op").get_secret("xAI", "api_key_neovim")
      end

      require("parrot").setup {
        providers = {
          xai = {
            api_key = { getter = get_xai_api_key  }
          },
        },
      }
    end,

and

    config = function()

      local function get_xai_api_key()
        return require("op").get_secret("xAI", "api_key_neovim")
      end

      require("parrot").setup {
        providers = {
          xai = {
            api_key = { get_xai_api_key  }
          },
        },
      }
    end,

I didn't see that pattern in the search results on github. Most people just use an env var it seems.

[devth]

Ah, this works:

      require("parrot").setup {
        providers = {
          xai = {
            api_key = { "op", "read", "op://personal/xAI/api_key_neovim", "--no-newline" }
          },
        },
      }

When it's a table it just execs shell commands instead?

This might be exactly what I want, but I also want parrot.nvim to cache the value so nvim isn't causing 1p to ask me to auth 1password every few min. Maybe this is the case. I'll keep testing...

Thanks for the excellent plugin!

[frankroeder]

Yes, in this case, the plugin assumes the input to be a shell command. Do you mean caching across nvim sessions or across calls in a single session? Thank you very much!

[devth]

Mainly across a single instance of vim, though across multiple would be interesting / convenient.