Skip to main content
Beta The Terraform shell plugin allows you to use 1Password to securely authenticate Terraform CLI to supported providers with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. You can configure the Terraform plugin to authenticate with biometrics to any provider in the 1Password Shell Plugin ecosystem, like AWS, ngrok, and Databricks.
The Terraform shell plugin is currently in beta. It can only be used with the latest beta build of 1Password CLI.

Requirements

  1. Sign up for 1Password.
  2. Install and sign in to 1Password for Mac or Linux.
  3. Install the latest beta build of 1Password CLI (2.19.0-beta.01 or later).
  4. Integrate 1Password CLI with the 1Password app.
  5. Install Terraform CLI .
The following shells are supported:
  • Bash
  • Zsh
  • fish

Step 1: Configure your default credentials

If you have multiple 1Password accounts, run op signin to select the account you want to use before configuring the plugin. When you use the plugin, 1Password CLI will automatically switch to that account.
To get started with the Terraform shell plugin, run: 
op plugin init terraform
You’ll be prompted to select the credential types you want to use with Terraform — you can choose as many as you want. Select the credential type for a supported provider, then you can either import the credential into your 1Password account or select an existing 1Password item where the credential is saved. When you’ve configured all the credentials you want to use with Terraform, select Stop choosing credentials.

Step 1.1: Import or select an item

Import a new item

If you haven’t saved a credential in 1Password yet, select Import into 1Password. Enter a name for the new 1Password item and select the vault where you want to save it. If 1Password detects the credential in your local development environment, you’ll be prompted to import it automatically.

Select an existing item

If you’ve already saved a credential in 1Password, select Search in 1Password. Select the item from the list of suggested items. If you don’t see the item you want, select Expand search to browse all items in your account.

Step 1.2: Set default credential scope

After you finish selecting your credentials, you’ll be prompted to configure when to use them.
  • Prompt me for each new terminal session will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the defaults will be removed.
  • Use automatically when in this directory or subdirectories will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one.
  • Use as global default on my system will set the credentials as the defaults in all terminal sessions and directories. A directory-specific default takes precedence over a global one.

Step 2: Source the plugins.sh file

To make the plugin available, source your plugins.sh file. For example: 
source ~/.config/op/plugins.sh
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path. If this is your first time installing a shell plugin, you’ll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:

Step 3: Use the CLI

The next time you use Terraform CLI with one of the providers you configured credentials for, you’ll be prompted to authenticate with biometrics or system authentication.
The terraform plan command being authenticated to AWS with Touch ID.

Step 4: Remove imported credentials from disk

After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk, like in your provider configurations .

Next steps

1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs:

op plugin list

To choose another plugin to get started with:

op plugin init

To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts.

Get help

Inspect your configuration

To inspect your current Terraform configuration: 
op plugin inspect terraform
1Password CLI will return a list of the credentials you’ve configured to use with Terraform and their default scope, as well as a list of aliases configured for Terraform CLI.
1Password CLI inspecting a Terraform shell plugin with AWS and ngrok credentials configured as global defaults.

Clear your credentials

To reset the credentials used with Terraform CLI: 
op plugin clear terraform
You can clear one configuration at a time, in this order of precedence:
  1. Terminal session default
  2. Directory default, from the current directory to $HOME
  3. Global default
For example, if you’re in the directory $HOME/projects/awesomeProject and you have a terminal session default, directory defaults for $HOME and $HOME/projects/awesomeProject, and a global default credential configured, you would need to run op plugin clear terraform four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run op plugin clear terraform —all.

Reference

1Password authenticates to Terraform providers by provisioning the credentials required by the plugin commands directly from your 1Password account. If you saved your provider credentials manually rather than using op plugin to import a new item, you might be prompted to rename your item’s fields to match the item structure required by the credential schema.