> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Load secrets from 1Password into GitHub Actions
export const CodeWrapper = ({variant, children}) => {
const variantStyles = {
bad: "[&_.code-block-background]:!mint-bg-red-100 [&_.code-block-background]:dark:!mint-bg-red-950/50",
good: "[&_.code-block-background]:!mint-bg-green-100 [&_.code-block-background]:dark:!mint-bg-green-950/50"
};
const appliedStyles = variant ? variantStyles[variant] : "";
return {children}
;
};
export const YouTubeVideo = ({src, title, alt}) => {
return
;
};
With the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password), you can securely load secrets from 1Password into GitHub Actions using [secret references](/cli/secret-reference-syntax). Secret references sync automatically with 1Password and remove the risk of exposing plaintext secrets in code.
You can authenticate `load-secrets-action` with a [1Password Connect Server](/connect/) or a [1Password Service Account](/service-accounts/). See the video below for a brief introduction to using the GitHub Action with a service account.
Similar to regular [GitHub repository secrets ](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions), 1Password automatically masks sensitive fields that appear in GitHub Actions logs. If one of these values accidentally gets printed, it's replaced with `***`.
## Requirements
You can configure the action to authenticate to 1Password with either a [service account](/service-accounts/) or a [Connect server](/connect/).
Before using the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) with a service account, you must:
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Create a service account.](/service-accounts/)
* Have the service account token on hand.
Before using the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) with a Connect server, you must:
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Create and deploy a Connect server](/connect/get-started/#step-1) in your infrastructure.
* Have the Connect server hostname and Connect server token on hand.
The [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) only supports Mac and Linux [runners ](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners). It doesn't work with Windows runners.
## Get started
The steps to get started vary depending on whether you use a service account or a Connect server.
1. Add the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) to your workflow.
See [Adding an action to your workflow ](https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#adding-an-action-to-your-workflow).
2. Add the service account token to your workflow.
Create a secret for your GitHub repository named `OP_SERVICE_ACCOUNT_TOKEN` and set it to the service account token value.
Visit [Using secrets in GitHub Actions ](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) to learn how.
3. Configure your workflow.
Use the `1password/load-secrets-action/configure` action to specify the token of the service account you plan to get secrets from.
The following example uses the `configure` command to set the `service-account-token` to the `OP_SERVICE_ACCOUNT_TOKEN` secret.
```yaml config.yml theme={null}
uses: 1password/load-secrets-action/configure@v2
with:
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
```
Setting the `service-account-token` in the `configure` step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.
To use the service account token in a specific step, set it in the `env` variables for that step.
```yaml config.yml theme={null}
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
```
4. Load a secret.
Use the `1password/load-secrets-action` action to set an environment variable to a [secret reference URI](#secret-reference-syntax) that points to where a secret is stored in your 1Password account.
The following example sets the `SECRET` environment variable to the value of a field titled `secret` within an item titled `hello-world` saved in a vault titled `app-cicd`.
```yaml config.yml theme={null}
uses: 1password/load-secrets-action@v2
env:
SECRET: op://app-cicd/hello-world/secret
```
The action makes the referenced secret available as the `SECRET` environment variable for the next steps.
1. Add the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) (`load-secrets-action`) to your workflow.
See [Adding an action to your workflow ](https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#adding-an-action-to-your-workflow).
2. Add the Connect server token to your workflow.
Create a secret named `OP_CONNECT_TOKEN` in your repository and set it to the Connect server token value.
Visit [Using secrets in GitHub Actions ](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) to learn how.
3. Configure your workflow.
Use the `1password/load-secrets-action/configure` action to specify the Connect server environment variable.
The following example uses the configure command to:
* Set the `connect-host` to the Connect server hostname (`OP_CONNECT_HOST`).
* Set the `connect-token` to the `OP_CONNECT_TOKEN` secret.
```yaml config.yml theme={null}
uses: 1password/load-secrets-action/configure@v2
with:
connect-host: OP_CONNECT_HOST
connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
```
Setting the `connect-token` in the configure step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.
To use the service account token in a specific step, set it in the `env` variables for that step.
```yaml config.yml theme={null}
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
```
4. Load a secret.
Use the `1password/load-secrets-action` action to set an environment variable to a [secret reference URI](#secret-reference-syntax) that points to where a secret is stored in your 1Password account.
The following example sets the `SECRET` environment variable to the value of a field titled `secret` within an item titled `hello-world` saved in a vault titled `app-cicd`.
```yaml config.yml theme={null}
uses: 1password/load-secrets-action@v2
env:
SECRET: op://app-cicd/hello-world/secret
```
The action makes the referenced secret available as the `SECRET` environment variable for the next steps.
## Reference
The following sections document the [action inputs](#action-inputs) and [secret reference syntax](#secret-reference-syntax) for the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password).
### Action inputs
The following table contains the available `configure` action inputs.
| Action input | Environment variable | Description |
| ----------------------- | -------------------------- | ---------------------------------------------------------- |
| `connect-host` | `OP_CONNECT_HOST` | The Connect server, hostname, IP address, or instance URL. |
| `connect-token` | `OP_CONNECT_TOKEN` | The Connect server token. |
| `service-account-token` | `OP_SERVICE_ACCOUNT_TOKEN` | The service account token. |
### Secret reference syntax
Secret reference URIs point to where a secret is saved in your 1Password account using the names (or [unique identifiers](/cli/reference/#unique-identifiers-ids)) of the vault, item, section, and field where the information is stored.
```shell theme={null}
op://vault-name/item-name/[section-name/]field-name
```
Set an environment variable to a secret reference in your workflow YAML file, and the action will make the referenced secret available as the environment variable for the next steps.
#### Example
The following example shows how to reference the `secret-access-key` field of the `aws` item in the `app-cicd` vault.
```yaml config.yml theme={null}
- name: Load secret
uses: 1password/load-secrets-action@v2
env:
SECRET: op://app-cicd/aws/secret-access-key
```
* **Vault:** `app-cicd`
* **Item:** `aws`
* **Field:** `secret-access-key`
## Usage examples
You can load secrets using the action in two ways:
1. [Use secrets from the action's output](#use-secrets-from-the-actions-output)
2. [Export secrets as environment variables](#export-secrets-as-environment-variables)
Use secrets from the action's output
You can use the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) to access secrets as environment variables.
The following examples show how to load a secret from a service account and print the output when a `push` event occurs.
You need to set an ID for the step to access its outputs. See [`outputs.` ](https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#outputsoutput_id).
The following example shows how to use a service account to load (and print) a secret (as the `SECRET` env variable) from 1Password. When you print a secret, 1Password automatically replaces it with `***`.
```yaml config.yml theme={null}
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Load secret
id: op-load-secret
uses: 1password/load-secrets-action@v2
with:
export-env: false
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: 'echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"'
# Prints: Secret: ***
```
The following example shows how to use a service account to load the `username` and `token` fields from the `docker` secret in 1Password (as `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`), then use them to log into Docker Hub.
```yaml config.yml theme={null}
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure 1Password Service Account
uses: 1password/load-secrets-action/configure@v2
with:
# Persist the 1Password Service Account Authorization token
# for next steps.
# Keep in mind that every single step in the job is now
# able to access the token.
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
- name: Load Docker credentials
id: load-docker-credentials
uses: 1password/load-secrets-action@v2
with:
export-env: false
env:
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
```
The following examples show how to load a secret from a Connect server and print the output when a `push` event occurs.
The following example shows how to use a Connect server to load (and print) a secret (as the `SECRET` env variable) from 1Password. When you print a secret, 1Password automatically replaces it with `***`.
```yaml config.yml theme={null}
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Load secret
id: op-load-secret
uses: 1password/load-secrets-action@v2
with:
export-env: false
env:
OP_CONNECT_HOST: connect-host
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: 'echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"'
# Prints: Secret: ***
```
The following example shows how to use a Connect server to load the `username` and `token` fields from the `docker` secret in 1Password (as `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`), then use them to log into Docker Hub.
```yaml config.yml theme={null}
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure 1Password Connect
uses: 1password/load-secrets-action/configure@v2
with:
# Persist the 1Password Connect URL for next steps. You can also persist
# the Connect token using input `connect-token`, but keep in mind that
# every single step in the job would then be able to access the token.
connect-host: OP_CONNECT_HOST
- name: Load Docker credentials
id: load-docker-credentials
uses: 1password/load-secrets-action@v2
with:
export-env: false
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
```
### Export secrets as environment variables
You can use the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) to use loaded secret outputted from the `steps.step-id.outputs.secret-name`.
The following examples show how to use a service account to load a 1Password secret as an environment variable.
The following example shows how to use a service account to load a secret as an environment variable named `SECRET`. When you print a secret, 1Password automatically replaces it with `***`.
```yaml config.yml theme={null}
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Load secret
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: 'echo "Secret: $SECRET"'
# Prints: Secret: ***
```
The following example shows how to use a service account to load the `username` and `token` fields from the `docker` secret in 1Password as environment variables named `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`, then uses them to log into Docker Hub.
It also loads the `access-key-id` and `secret-access-key` fields from the `aws` secret in 1Password as environment variables named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, then uses them to deploy to AWS.
```yaml config.yml theme={null}
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure 1Password Service Account
uses: 1password/load-secrets-action/configure@v2
with:
# Persist the 1Password Service Account Authorization token
# for next steps.
# Keep in mind that every single step in the job is now able
# to access the token.
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
- name: Load Docker credentials
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
env:
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Print environment variables with masked secrets
run: printenv
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
- name: Load AWS credentials
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
# Remove local copies of the Docker credentials, which are not needed anymore
unset-previous: true
env:
AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
- name: Deploy app
# This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
# done automatically by the step above
run: ./deploy.sh
```
The folowing examples show how to use a Connect server to load a secret from 1Password as an environment variable.
The following example shows how to use a Connect server to load a secret as an environment variable named `SECRET`. When you print a secret, 1Password automatically replaces it with `***`.
```yaml config.yml theme={null}
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Load secret
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_CONNECT_HOST: connect-host
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: 'echo "Secret: $SECRET"'
# Prints: Secret: ***
```
The following example shows how to use a Connect server to load the `username` and `token` fields from the `docker` secret in 1Password as environment variables named `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`, then uses them to log into Docker Hub.
It also loads the `access-key-id` and `secret-access-key` fields from the `aws` secret in 1Password as environment variables named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, then uses them to deploy to AWS.
```yaml config.yml theme={null}
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure 1Password Connect
uses: 1password/load-secrets-action/configure@v2
with:
# Persist the 1Password Connect hostname for next steps.
# You can also persist the Connect token using input
# `connect-token`, but keep in mind that every single
# step in the job would then be able to access the token.
connect-host: OP_CONNECT_HOST
- name: Load Docker credentials
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Print environment variables with masked secrets
run: printenv
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
- name: Load AWS credentials
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
# Remove local copies of the Docker credentials, which are not needed anymore
unset-previous: true
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
- name: Deploy app
# This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
# done automatically by the step above
run: ./deploy.sh
```
## Troubleshooting
If you try to create items using 1Password CLI in your GitHub pipelines (without using `load-secrets-action`), the command fails with the following error:
```text theme={null}
Failed to create item: invalid JSON
```
For example, the following results in an error:
```shell theme={null}
op item create --category=login --title='My Example Item' --vault='Test' \
--url https://www.acme.com/login \
--generate-password=20,letters,digits \
username=jane@acme.com \
'Test Field 1=my test secret' \
'Test Section 1.Test Field2[text]=Jane Doe' \
'Test Section 1.Test Field3[date]=1995-02-23' \
'Test Section 2.Test Field4[text]='$myNotes
```
The pipeline environment is in piped mode. This triggers the CLI's pipe detection, which expects a piped input.
To create items in this environment, use a [JSON template](/cli/item-template-json/) with your item details.
1. Get the template for the category of item you want to create:
```shell theme={null}
op item template get --out-file=new-item.json
```
2. Edit [the template](/cli/item-template-json/) to add your information.
3. Pipe the item content to the command:
```shell theme={null}
cat new-item.json | op item create --vault
```