Skip to main content
With the 1Password Secrets plugin for Jenkins , you can securely load secrets from 1Password as environment variables in a Jenkins CI/CD pipeline using secret references. Secret references sync automatically with 1Password and remove the risk of exposing plaintext secrets in code. You can authenticate the plugin with a 1Password Service Account or a 1Password Connect Server.
The 1Password Jenkins plugin is officially supported and maintained by 1Password. Community contributions are welcome. View the repository on GitHub.

Requirements

You can use the 1Password Secrets plugin for Jenkins with either a service account or a Connect server. If you configure both a service account and a Connect server, the Connect server takes precedence.

Get started

To get started with the 1Password Secrets plugin for Jenkins:
  1. Install the 1Password Secrets plugin for Jenkins.
  2. Install 1Password CLI.
  3. Configure the 1Password Secrets plugin for Jenkins.

Step 1: Install the 1Password Secrets plugin for Jenkins

You have several available options to install the 1Password Secrets plugin for Jenkins. You can use the Jenkins GUI (graphical user interface), the Jenkins CLI tool, or a direct upload.
To install the 1Password Secrets plugin for Jenkins using the GUI:
  1. Sign in to your Jenkins instance.
  2. From your Jenkins dashboard, go to Manage Jenkins > Plugins.
  3. Select the Available plugins tab.
  4. Search for onepassword-secrets.
  5. Select the 1Password Secrets plugin for Jenkins, then select Install.
Refer to Use the GUI for more detailed instructions.

Step 2: Install 1Password CLI

The 1Password Secrets plugin for Jenkins relies on 1Password CLI. You must install 1Password CLI on the same machine that runs the Jenkins CI/CD pipeline. You can install 1Password CLI using a Jenkinsfile or using a Freestyle job. Either of these methods can install 1Password CLI in the same pipeline as the 1Password Secrets plugin for Jenkins or in a separate pipeline.
If you install 1Password CLI in the same pipeline, you will need to add the 1Password CLI installation script before you make any calls to the plugin.If you install 1Password CLI in a separate pipeline, you will need to set the 1Password CLI path to the workspace where you performed the installation in your configuration.
To install 1Password CLI using a Jenkinsfile:
  1. Sign in to your Jenkins instance.
  2. Select New Item.
  3. Enter the job details, then select Pipeline.
  4. Configure the job details.
  5. Scroll to Advanced Project Options > Pipeline.
  6. Select Pipeline script.
  7. Add the code to install 1Password CLI to the Script field. You can install 1Password CLI with a Jenkinsfile using declarative or scripted Jenkins pipeline syntax .
The following examples show how to install 1Password CLI version 2.24 on a Linux amd64 machine. Make sure to change the example scripts to match your platform and use the latest release of 1Password CLI.
Declarative Jenkinsfile
pipeline {
    agent any
    stages {
        stage('Install 1Password CLI') {
            steps {
                sh 'curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.24.0/op_linux_amd64_v2.24.0.zip"'
                sh 'unzip -o op.zip -d op-dir'
                sh 'mv -f op-dir/op /usr/local/bin'
                sh 'rm -r op.zip op-dir'
            }
        }
    }
}
# code-result
[Pipeline] Start of Pipeline
[Pipeline] node
Running on Jenkins in /config/workspace/Example
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Install 1Password CLI)
[Pipeline] sh
+ curl -sSfLo op.zip https://cache.agilebits.com/dist/1P/op2/pkg/v2.24.0/op_linux_amd64_v2.24.0.zip
[Pipeline] sh
+ unzip -o op.zip -d op-dir
Archive:  op.zip
extracting: op-dir/op.sig
inflating: op-dir/op
[Pipeline] sh
+ mv -f op-dir/op /usr/local/bin
[Pipeline] sh
+ rm -r op.zip op-dir
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
  1. Save the build.

Step 3: Configure the 1Password Secrets plugin for Jenkins

You can configure the 1Password Secrets plugin for Jenkins from the Jenkins dashboard:
  1. Login to your Jenkins instance.
  2. Select Manage Jenkins > System.
  3. Scroll to 1Password Secrets.
  4. Set the 1Password CLI path to the location of the 1Password CLI executable.
    The example script uses /usr/local/bin/op.
The remaining configuration steps depend on whether you use a service account or a Connect server.
You must add at least one Service Account Credential to use a service account with the 1Password Secrets plugin for Jenkins.
  1. Select Add > Jenkins under the Service Account Credential.
  2. Set the Domain.
  3. Set the Kind to Secret text.
    The plugin only supports secret text .
  4. Set the Scope.
  5. Set the Secret to the service account token.
  6. You can leave the ID and Description empty.
  7. Select Add.
For example configurations and pipeline scripts, go to Usage examples.
If you configure both a Connect server and a service account, the Connect server takes precedence.

Configuration

The following sections document the available configuration options and configuration scopes.
If you install 1Password CLI in the same pipeline, you will need to add the 1Password CLI installation script before you make any calls to the plugin.If you install 1Password CLI in a separate pipeline, you will need to set the 1Password CLI path to the workspace where you performed the installation in your configuration.

Configuration options

The 1Password Secrets plugin for Jenkins has configuration options for 1Password CLI, Connect servers, and service accounts.
SettingDescription
Connect HostThe hostname, IP address, or URL of the Connect server.
Connect CredentialThe Connect server token to authenticate with the Connect server. This setting is a Jenkins secret text credential .
Service Account CredentialThe service account token to authenticate with the service account. This setting is a Jenkins secret text credential .
1Password CLI pathThe path to the 1Password CLI executable. The default location is /usr/local/bin/op

Configuration scope

You can configure the 1Password Secrets plugin for Jenkins globally, per folder, or per job.
LevelDescription
GlobalGlobal-level configurations impact all jobs in all folders. To configure the 1Password Secrets plugin for Jenkins globally, add it to your global configuration.
FolderFolder-level configurations impact all jobs within the folder. To configure the 1Password Secrets plugin for Jenkins for a specific folder, add it to the folder configuration.
JobJob-level configurations only impact the jobs you configure. To configure the 1Password Secrets plugin for Jenkins for a single job, configure the plugin in the Jenkinsfile or Freestyle job.
The configuration priority is highest for job-level configurations and lowest for global configurations. The more specific the level, the higher the priority. This means you can have a default configuration at a broader level and override it at more specific levels. For example, if you configure a service account (service account A) globally, but override it with a different service account (service account B) in a job-level configuration, the job will use the second service account (service account B).
If you configure both a Connect server and a service account, the Connect server takes precedence.

Usage examples

The following sections cover several use case examples for the 1Password Secrets plugin for Jenkins:

Use with a Jenkinsfile

You can access secrets within the Jenkins pipeline using secret references with the withSecrets function. This function receives the configuration and list of 1Password secrets and loads them as parameters. Explore the following examples to learn how to use the withSecrets function in various contexts.

The configuration at the beginning of the Jenkinsfile to configure the service account and 1Password CLI is optional. If you don’t provide a configuration, the 1Password Secrets plugin uses a more broadly scoped configuration.Make sure to replace service-account-token with the service account token and op-cli-path with the path you installed the 1Password CLI to (if you used a custom location). See Configuration.
def config = [
        serviceAccountCredentialId: 'service-account-token',
        opCLIPath: 'op-cli-path'
]

The following examples show how to use the withSecrets function in a Jenkinsfile with a 1Password Service Account.
The following declarative Jenkinsfile shows how to use the withSecrets function with a service account. It first defines environment variables to hold the secret values, then uses the withSecrets function to access and assign the values.
Declarative Jenkinsfile
// Configure 1Password CLI and the service account.
def config = [
        serviceAccountCredentialId: 'service-account-token',
        opCLIPath: 'op-cli-path'
]
// Define the environment variables for the values of the secrets.
// Use the secret reference syntax: `op://<vault>/<item>[/section]/<field>`.
def secrets = [
    [envVar: 'DOCKER_USERNAME', secretRef: 'op://vault/item/username'],
    [envVar: 'DOCKER_PASSWORD', secretRef: 'op://vault/item/password']
]
pipeline {
    agent any
    stages{
        stage('Push latest docker image') {
            steps {
                // Use the `withSecrets` function to access secrets.
                withSecrets(config: config, secrets: secrets) {
                    docker.withRegistry('http://somehost:5100') {
                        sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
                        def image = docker.build('somebuild')
                        image.push 'latest'
                    }
                }
            }
        }
    }
}
Jenkins Pipeline Syntax helperYou can also use the Jenkins Pipeline Syntax helper to create a pipeline script.

Use with environment variables

The 1Password Secrets plugin for Jenkins lets you use environment variables to get configuration and secrets. The following examples show how to use environment variables with the 1Password Secrets plugin for Jenkins. You must set the environment variables in the environment block. The following table describes each environment variable.
VariableRequiredDescription
OP_CLI_PATHAlways required.The path where you installed the 1Password CLI. If you followed the 1Password CLI installation instruction, set this value to /usr/local/bin.

The example scripts on this page set this value to op-cli-path.
OP_SERVICE_ACCOUNT_TOKENRequired if using a service account.The service account token of the service account to use.

The example scripts on this page set this value to service-account-token variable.
OP_CONNECT_HOSTRequired if using a Connect server.The IP address, hostname, or URL of the Connect server to use.

The example scripts on this page set this value to connect-server-host.
OP_CONNECT_TOKENRequired if using a Connect server.The Connect server token of the Connect server to use.

The example scripts on this page set this value to connect-server-token.
If you don’t configure these environment variables, the 1Password Secrets plugin uses a more broadly scoped configuration.
The following examples show how to use a service account with environment variables in a Jenkinsfile.
Declarative Jenkinsfile
pipeline {
    agent any
    environment {
        // Configure 1Password CLI and the service account.
        OP_SERVICE_ACCOUNT_TOKEN = credentials('service-account-token')
        OP_CLI_PATH = 'op-cli-path'
        // Define the environment variables using the secret reference `op://<vault>/<item>[/section]/<field>`.
        DOCKER_USERNAME = 'op://vault/item/username'
        DOCKER_PASSWORD = 'op://vault/item/password'
    }
    stages{
        stage('Push latest docker image') {
            steps {
                // Access 1Password secrets.
                withSecrets() {
                    docker.withRegistry('http://somehost:5100') {
                        sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
                        def image = docker.build('somebuild')
                        image.push 'latest'
                    }
                }
            }
        }
    }
}

Use in a Freestyle Job

You can use the Jenkins Pipeline Syntax helper to set environment variables and access secrets in a Freestyle job.
Use the Jenkins Pipeline Syntax helper to use a service account in a Freestyle job:
  1. From the Freestyle job in Jenkins, go to the Steps section.
  2. Set 1Password CLI path to the location where you installed 1Password CLI.
    The example script uses /usr/local/bin/op.
  3. Set Service Account Credential to the service account token.
  4. Select Add a 1Password secret.
  5. Set the Environment variable for the secret.
  6. Set Secret reference.
    Use the secret reference syntax to point to the 1Password secret.
  7. Select Generate Pipeline Script.