Skip to main content
With the Load secrets from 1Password GitHub Action , you can securely load secrets from 1Password into GitHub Actions using secret references. Secret references sync automatically with 1Password and remove the risk of exposing plaintext secrets in code. You can authenticate load-secrets-action with a 1Password Connect Server or a 1Password Service Account. See the video below for a brief introduction to using the GitHub Action with a service account.
Similar to regular GitHub repository secrets , 1Password automatically masks sensitive fields that appear in GitHub Actions logs. If one of these values accidentally gets printed, it’s replaced with ***.

Requirements

You can configure the action to authenticate to 1Password with either a service account or a Connect server.
Before using the Load secrets from 1Password GitHub Action with a service account, you must:
The Load secrets from 1Password GitHub Action only supports Mac and Linux runners . It doesn’t work with Windows runners.

Get started

The steps to get started vary depending on whether you use a service account or a Connect server.
  1. Add the Load secrets from 1Password GitHub Action to your workflow. See Adding an action to your workflow .
  2. Add the service account token to your workflow. Create a secret for your GitHub repository named OP_SERVICE_ACCOUNT_TOKEN and set it to the service account token value. Visit Using secrets in GitHub Actions to learn how.
  3. Configure your workflow. Use the 1password/load-secrets-action/configure action to specify the token of the service account you plan to get secrets from. The following example uses the configure command to set the service-account-token to the OP_SERVICE_ACCOUNT_TOKEN secret.
    config.yml
      uses: 1password/load-secrets-action/configure@v2
  with:
    service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
    Setting the service-account-token in the configure step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.To use the service account token in a specific step, set it in the env variables for that step.
    config.yml
    env:
  OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
  4. Load a secret. Use the 1password/load-secrets-action action to set an environment variable to a secret reference URI that points to where a secret is stored in your 1Password account. The following example sets the SECRET environment variable to the value of a field titled secret within an item titled hello-world saved in a vault titled app-cicd.
    config.yml
    uses: 1password/load-secrets-action@v2
env:
  SECRET: op://app-cicd/hello-world/secret
    The action makes the referenced secret available as the SECRET environment variable for the next steps.

Reference

The following sections document the action inputs and secret reference syntax for the Load secrets from 1Password GitHub Action .

Action inputs

The following table contains the available configure action inputs.
Action inputEnvironment variableDescription
connect-hostOP_CONNECT_HOSTThe Connect server, hostname, IP address, or instance URL.
connect-tokenOP_CONNECT_TOKENThe Connect server token.
service-account-tokenOP_SERVICE_ACCOUNT_TOKENThe service account token.

Secret reference syntax

Secret reference URIs point to where a secret is saved in your 1Password account using the names (or unique identifiers) of the vault, item, section, and field where the information is stored. 
op://vault-name/item-name/[section-name/]field-name
Set an environment variable to a secret reference in your workflow YAML file, and the action will make the referenced secret available as the environment variable for the next steps.

Example

The following example shows how to reference the secret-access-key field of the aws item in the app-cicd vault.
config.yml
- name: Load secret
  uses: 1password/load-secrets-action@v2
  env:
    SECRET: op://app-cicd/aws/secret-access-key
  • Vault: app-cicd
  • Item: aws
  • Field: secret-access-key

Usage examples

You can load secrets using the action in two ways:
  1. Use secrets from the action’s output
  2. Export secrets as environment variables

Use secrets from the action’s output

You can use the Load secrets from 1Password GitHub Action to access secrets as environment variables.
The following examples show how to load a secret from a service account and print the output when a push event occurs.You need to set an ID for the step to access its outputs. See outputs.<output_id> .
The following example shows how to use a service account to load (and print) a secret (as the SECRET env variable) from 1Password. When you print a secret, 1Password automatically replaces it with ***.
config.yml
on: push
jobs:
  hello-world:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Load secret
        id: op-load-secret
        uses: 1password/load-secrets-action@v2
        with:
          export-env: false
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          SECRET: op://app-cicd/hello-world/secret

      - name: Print masked secret
        run: 'echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"'
        # Prints: Secret: ***

Export secrets as environment variables

You can use the Load secrets from 1Password GitHub Action to use loaded secret outputted from the steps.step-id.outputs.secret-name.
The following examples show how to use a service account to load a 1Password secret as an environment variable.
The following example shows how to use a service account to load a secret as an environment variable named SECRET. When you print a secret, 1Password automatically replaces it with ***.
config.yml
on: push
jobs:
  hello-world:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Load secret
        uses: 1password/load-secrets-action@v2
        with:
          # Export loaded secrets as environment variables
          export-env: true
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          SECRET: op://app-cicd/hello-world/secret

      - name: Print masked secret
        run: 'echo "Secret: $SECRET"'
        # Prints: Secret: ***

Troubleshooting

If you try to create items using 1Password CLI in your GitHub pipelines (without using load-secrets-action), the command fails with the following error: 
Failed to create item: invalid JSON
For example, the following results in an error: 
op item create --category=login --title='My Example Item' --vault='Test' \
                --url https://www.acme.com/login \
                --generate-password=20,letters,digits \
                username=jane@acme.com \
                'Test Field 1=my test secret' \
                'Test Section 1.Test Field2[text]=Jane Doe' \
                'Test Section 1.Test Field3[date]=1995-02-23' \
                'Test Section 2.Test Field4[text]='$myNotes
The pipeline environment is in piped mode. This triggers the CLI’s pipe detection, which expects a piped input. To create items in this environment, use a JSON template with your item details.
  1. Get the template for the category of item you want to create: 
    op item template get --out-file=new-item.json <category>
  2. Edit the template to add your information.
  3. Pipe the item content to the command: 
    cat new-item.json | op item create --vault <vault>