Get started with secret references
A secret reference URI includes the name of the vault, item, section, and field where a secret is stored in your 1Password account:
You can use secret references to securely load information saved in 1Password into environment variables, configuration files, and scripts without storing any secrets in plaintext. Secret references are dynamic – if you update an item in 1Password, the changes will automatically be reflected in your code.
To replace secret references with the secrets they refer to at runtime, use op read
, op run
, or op inject
.
We recommend using 1Password Service Accounts to follow the principle of least privilege. Service accounts support restricting 1Password CLI to specific vaults, so that processes in your authorized terminal session can only access items required for a given purpose.
Requirements
Before you can use secret references to securely load your secrets, you'll need to:
- Sign up for 1Password.
- Install 1Password CLI.
- Save the secrets you want to reference in your 1Password account.
Step 1: Copy secret references
To see the option to copy secret references in the 1Password desktop app, turn on the 1Password desktop app integration.
To copy secret references:
- Open and unlock the 1Password desktop app.
- Open the item where the secret you want to reference is stored.
- Click next to the field that contains the secret you want to reference, then click Copy Secret Reference.
If the name of the vault, item, section, or field includes an unsupported character, the app will substitute a unique ID instead of the name. For example, a password saved on an item named mysql (work)
would show a string of numbers and letters in place of the item name:
If you want to get secret references for every field on an item, use op item get
with the --format json
flag.
Example JSON output
Each field will include a line titled "reference" that contains its secret reference. For the example GitHub
item, the output looks like this:
If you want to write your own secret references, use the secret reference syntax.
Step 2: Resolve secret references
There are three ways you can replace secret references with the actual secrets they reference at runtime:
- Use
op read
to print secrets tostdout
. - Use
op run
to pass secrets as environment variables to a process. - Use
op inject
to inject secrets into configuration files or scripts.
With op read
You can use op read
with a secret reference to print the secret to stdout
.
See result...
To write the secret to a file instead of stdout
, include the --out-file
flag (or -o
) with the path to the new file. For example, to create a file token.txt
that contains the GitHub personal access token:
token.txt
You can also use op read
with secret references to load secrets into scripts. For example, to use secret references in place of your Docker username and password with the docker login
command:
myscript.sh
Query parameters
You can use secret references with query parameters to get more information about an item.
To get information about item fields or file attachments, include the attribute
(or attr
) query parameter with the attribute you want to get.
You can query the following attributes for fields:
type
, value
, title
, id
, purpose
, otp
And the following attributes for file attachments:
content
, size
, id
, name
, type
.
For example, to retrieve a one-time password from the one-time password field on a GitHub item:
See result...
To get an SSH key's private key in the OpenSSH format, include the ssh-format
query parameter with the value openssh
on a secret reference for the SSH key's private key
field.
See result...
Learn more about securely loading secrets into scripts.
With op run
You can set environment variables to secret references, then use op run
to pass secrets to an application or script at runtime.
op run
scans environment variables for secret references, loads the corresponding values from 1Password, then runs the provided command in a subprocess with the secrets made available as environment variables for the duration of the subprocess.
Pass the secrets to an application or script
To pass secrets to your script or application at runtime, wrap the command with op run
.
For example, here's a Node.js app that needs credentials to connect to a database:
You can set the DB_USER
and DB_PASSWORD
environment variables to secret references:
- Bash, Zsh, sh
- fish
- PowerShell
Then use op run
to pass the secrets to the node app.js
command:
Use with environment files
You can also use op run
with environment files. To do this, use secret references instead of plaintext secrets in your environment file:
node.env
Then use op run
with the --env-file
flag:
Print a secret with or without masking
If a subprocess used with op run
prints a secret to stdout
, the secret will be concealed by default. You can include the --no-masking
flag to print the value.
- Bash, Zsh, sh
- fish
- PowerShell
To export an example environment variable DB_PASSWORD
to a secret reference:
Use op run
with the printenv
command to print the concealed secret:
See result...
Include the --no-masking
flag to print the actual secret:
See result...
To export an example environment variable DB_PASSWORD
to a secret reference:
Use op run
with the printenv
command to print the concealed secret:
See result...
Include the --no-masking
flag to print the actual secret:
See result...
To export an example environment variable DB_PASSWORD
to a secret reference:
To print the concealed secret:
See result...
Include the --no-masking
flag to print the actual secret:
See result...
Learn more about loading secrets into the environment with op run
, including how to use template variables to switch between different sets of secrets for different environments.
With op inject
You can use op inject
to replace secret references in a script or file with the secrets they reference.
By default, op inject
accepts input on stdin
and outputs on stdout
. You can use the --in-file
flag (or -i
) to read the input from a file instead, and the --out-file
flag (or -o
) to specify where the ouput should be written.
To use op inject
to resolve a secret in a simple command:
See result...
To write the output to a file token.txt
in the current directory:
token.txt
Use with configuration files
You can use op inject
to pass in a configuration file templated with secret references and output a configuration file that contains resolved secrets. Configuration files that use secret references instead of plaintext secrets can be safely checked into Git.
config.yml.tpl
Learn more about loading secrets into configuration files with op inject
, including how to use template variables to switch between different sets of secrets for different environments.