Learn how to use the 1Password CLI to feed secrets to dnscontrol securely without writing them to disk.

After Benny showed me dnscontrol, I shared it with a group of like-minded friends. One of those friends was Jack. Being the tinkerer that he is, he started thinking how could he integrate 1Password into dnscontrol so that secrets don't have to be hard-coded in plain text. You can read his journey on the 1Password blog. This guide is based on Jack's findings of how to use the 1Password CLI with dnscontrol.

If using dnscontrol with GitHub Actions is overkill or you want to keep it all local, this guide will show you how to use the 1Password CLI to automatically inject the secrets into the creds.json file so your API creds are not stored in the file and written to disk.

This will not be a 'Getting started with dnscontrol' post, therefore I will assume you've already set it up. If you have never used it, read their Getting started guide first and set it up.

Second, you must have a 1Password subscription and be running 1Password 8. If you don't, you can get 50% off your first year (not an affiliate link).

Chances are you don't have the CLI, so go ahead, get it and sign in.

Once you've setup dnscontrol and the 1Password CLI, go find your creds.json file.

Credentials are fetched using secret references to the item in 1Password using the following syntax:

op://vault/item/field

In creds.json define the provider and link to the secret reference:

    "dnsimple": {
      "TYPE": "DNSIMPLE",
      "token": "op://Secrets/dnscontrol - DNSimple/credential"
    },

Lastly, when it comes to running dnscontrol you run it like this:

dnscontrol preview --creds='!op inject -i creds.json

dnscontrol push --creds='!op inject -i creds.json

and the CLI will automatically inject the credentials, authenticate into the API, and make the changes to your domains, all without your credentials ever touching the disk.