Use this file to discover all available pages before exploring further.
With the Load secrets from 1Password GitHub Action , you can securely load secrets from 1Password into GitHub Actions using secret references. Secret references sync automatically with 1Password and remove the risk of exposing plaintext secrets in code.You can authenticate load-secrets-action with a 1Password Connect Server or a 1Password Service Account. See the video below for a brief introduction to using the GitHub Action with a service account.
Similar to regular GitHub repository secrets , 1Password automatically masks sensitive fields that appear in GitHub Actions logs. If one of these values accidentally gets printed, it’s replaced with ***.
Add the service account token to your workflow.Create a secret for your GitHub repository named OP_SERVICE_ACCOUNT_TOKEN and set it to the service account token value.Visit Using secrets in GitHub Actions to learn how.
Configure your workflow.Use the 1password/load-secrets-action/configure action to specify the token of the service account you plan to get secrets from.The following example uses the configure command to set the service-account-token to the OP_SERVICE_ACCOUNT_TOKEN secret.
Setting the service-account-token in the configure step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.To use the service account token in a specific step, set it in the env variables for that step.
Load a secret.Use the 1password/load-secrets-action action to set an environment variable to a secret reference URI that points to where a secret is stored in your 1Password account.The following example sets the SECRET environment variable to the value of a field titled secret within an item titled hello-world saved in a vault titled app-cicd.
Add the Connect server token to your workflow.Create a secret named OP_CONNECT_TOKEN in your repository and set it to the Connect server token value.Visit Using secrets in GitHub Actions to learn how.
Configure your workflow.Use the 1password/load-secrets-action/configure action to specify the Connect server environment variable.The following example uses the configure command to:
Set the connect-host to the Connect server hostname (OP_CONNECT_HOST).
Set the connect-token to the OP_CONNECT_TOKEN secret.
Setting the connect-token in the configure step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.To use the service account token in a specific step, set it in the env variables for that step.
Load a secret.Use the 1password/load-secrets-action action to set an environment variable to a secret reference URI that points to where a secret is stored in your 1Password account.The following example sets the SECRET environment variable to the value of a field titled secret within an item titled hello-world saved in a vault titled app-cicd.
Secret reference URIs point to where a secret is saved in your 1Password account using the names (or unique identifiers) of the vault, item, section, and field where the information is stored.
Set an environment variable to a secret reference in your workflow YAML file, and the action will make the referenced secret available as the environment variable for the next steps.
The following examples show how to load a secret from a service account and print the output when a push event occurs.You need to set an ID for the step to access its outputs. See outputs.<output_id>.
Simple example
Advanced example
The following example shows how to use a service account to load (and print) a secret (as the SECRET env variable) from 1Password. When you print a secret, 1Password automatically replaces it with ***.
The following example shows how to use a service account to load the username and token fields from the docker secret in 1Password (as DOCKERHUB_USERNAME and DOCKERHUB_TOKEN), then use them to log into Docker Hub.
config.yml
on: pushname: Deploy appjobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Configure 1Password Service Account uses: 1password/load-secrets-action/configure@v2 with: # Persist the 1Password Service Account Authorization token # for next steps. # Keep in mind that every single step in the job is now # able to access the token. service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Load Docker credentials id: load-docker-credentials uses: 1password/load-secrets-action@v2 with: export-env: false env: DOCKERHUB_USERNAME: op://app-cicd/docker/username DOCKERHUB_TOKEN: op://app-cicd/docker/token - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }} password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }} - name: Build and push Docker image uses: docker/build-push-action@v2 with: push: true tags: acme/app:latest
The following examples show how to load a secret from a Connect server and print the output when a push event occurs.
Simple example
Advanced example
The following example shows how to use a Connect server to load (and print) a secret (as the SECRET env variable) from 1Password. When you print a secret, 1Password automatically replaces it with ***.
The following example shows how to use a Connect server to load the username and token fields from the docker secret in 1Password (as DOCKERHUB_USERNAME and DOCKERHUB_TOKEN), then use them to log into Docker Hub.
config.yml
on: pushname: Deploy appjobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v2 with: # Persist the 1Password Connect URL for next steps. You can also persist # the Connect token using input `connect-token`, but keep in mind that # every single step in the job would then be able to access the token. connect-host: OP_CONNECT_HOST - name: Load Docker credentials id: load-docker-credentials uses: 1password/load-secrets-action@v2 with: export-env: false env: OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} DOCKERHUB_USERNAME: op://app-cicd/docker/username DOCKERHUB_TOKEN: op://app-cicd/docker/token - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }} password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }} - name: Build and push Docker image uses: docker/build-push-action@v2 with: push: true tags: acme/app:latest
The following examples show how to use a service account to load a 1Password secret as an environment variable.
Simple example
Advanced example
The following example shows how to use a service account to load a secret as an environment variable named SECRET. When you print a secret, 1Password automatically replaces it with ***.
The following example shows how to use a service account to load the username and token fields from the docker secret in 1Password as environment variables named DOCKERHUB_USERNAME and DOCKERHUB_TOKEN, then uses them to log into Docker Hub.It also loads the access-key-id and secret-access-key fields from the aws secret in 1Password as environment variables named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, then uses them to deploy to AWS.
config.yml
on: pushname: Deploy appjobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Configure 1Password Service Account uses: 1password/load-secrets-action/configure@v2 with: # Persist the 1Password Service Account Authorization token # for next steps. # Keep in mind that every single step in the job is now able # to access the token. service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Load Docker credentials uses: 1password/load-secrets-action@v2 with: # Export loaded secrets as environment variables export-env: true env: DOCKERHUB_USERNAME: op://app-cicd/docker/username DOCKERHUB_TOKEN: op://app-cicd/docker/token - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ env.DOCKERHUB_USERNAME }} password: ${{ env.DOCKERHUB_TOKEN }} - name: Print environment variables with masked secrets run: printenv - name: Build and push Docker image uses: docker/build-push-action@v2 with: push: true tags: acme/app:latest - name: Load AWS credentials uses: 1password/load-secrets-action@v2 with: # Export loaded secrets as environment variables export-env: true # Remove local copies of the Docker credentials, which are not needed anymore unset-previous: true env: AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key - name: Deploy app # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was # done automatically by the step above run: ./deploy.sh
The folowing examples show how to use a Connect server to load a secret from 1Password as an environment variable.
Simple example
Advanced example
The following example shows how to use a Connect server to load a secret as an environment variable named SECRET. When you print a secret, 1Password automatically replaces it with ***.
The following example shows how to use a Connect server to load the username and token fields from the docker secret in 1Password as environment variables named DOCKERHUB_USERNAME and DOCKERHUB_TOKEN, then uses them to log into Docker Hub.It also loads the access-key-id and secret-access-key fields from the aws secret in 1Password as environment variables named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, then uses them to deploy to AWS.
config.yml
on: pushname: Deploy appjobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v2 with: # Persist the 1Password Connect hostname for next steps. # You can also persist the Connect token using input # `connect-token`, but keep in mind that every single # step in the job would then be able to access the token. connect-host: OP_CONNECT_HOST - name: Load Docker credentials uses: 1password/load-secrets-action@v2 with: # Export loaded secrets as environment variables export-env: true env: OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} DOCKERHUB_USERNAME: op://app-cicd/docker/username DOCKERHUB_TOKEN: op://app-cicd/docker/token - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ env.DOCKERHUB_USERNAME }} password: ${{ env.DOCKERHUB_TOKEN }} - name: Print environment variables with masked secrets run: printenv - name: Build and push Docker image uses: docker/build-push-action@v2 with: push: true tags: acme/app:latest - name: Load AWS credentials uses: 1password/load-secrets-action@v2 with: # Export loaded secrets as environment variables export-env: true # Remove local copies of the Docker credentials, which are not needed anymore unset-previous: true env: OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key - name: Deploy app # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was # done automatically by the step above run: ./deploy.sh
If you try to create items using 1Password CLI in your GitHub pipelines (without using load-secrets-action), the command fails with the following error:For example, the following results in an error:The pipeline environment is in piped mode. This triggers the CLI’s pipe detection, which expects a piped input.To create items in this environment, use a JSON template with your item details.
Get the template for the category of item you want to create:
op item template get --out-file=new-item.json <category>
