Hardcoded secrets in CI/CD pipelines, container images, infrastructure configs, and production environments are a leading cause of credential exposure at scale. For example, if a secret is hardcoded in aDocumentation Index
Fetch the complete documentation index at: https://www.1password.dev/llms.txt
Use this file to discover all available pages before exploring further.
.github/workflows or Jenkinsfile, anyone with access to the repository can see it. A single leaked token can compromise your entire deployment chain, and historically rotating exposed secrets required extensive code and configuration updates.
1Password developer tools eliminate secret sprawl across your deployment infrastructure and make rotating secrets simple. Store your credentials in 1Password, then securely load them into your CI/CD pipelines, containers, and production applications at runtime without exposing anything in plaintext in your source control or configuration files. Rotate your secrets by updating them in 1Password.
Environments (beta)
You can use 1Password Environments (beta) to store and manage the complete set of secrets for each stage of your deployment infrastructure (for example staging, production, or per-application) then load them all at once at runtime. Because Environments map directly to how applications consume secrets from the environment, they fit naturally into any deployment workflow that uses environment variables or.env files.
You can use Environments across your entire deployment infrastructure. For example:
- CI/CD pipelines: Use 1Password CLI to load the variables stored in Environments into any CI/CD platform that supports shell commands, so your pipeline runs with the right set of secrets for each deployment stage without storing anything in plaintext.
- Docker containers and Compose: Use 1Password SDKs to fetch variables from an Environment within your container’s application code, keeping credentials out of your Dockerfile and image layers, or use
op run --environmentto load an Environment directly into a Docker Compose process. - Kubernetes: For application containers, use 1Password SDKs to fetch variables from an Environment in your code, or use 1Password CLI in an init container to load variables before your main container starts.
- Server-side applications: Use 1Password SDKs to read variables from an Environment in your application, with native language integration in Go, JavaScript, or Python.
- AWS deployments: Sync secrets from an Environment directly to AWS Secrets Manager, centralizing management in 1Password while using native AWS integrations at runtime.
Get started with Environments
Create and manage Environments.
Programmatically read Environments
Load variables from Environments with 1Password CLI or SDKs.
Sync secrets to AWS Secrets Manager
Centralize secrets management and simplify your AWS Secrets Manager workflow.
You can also replace hardcoded secrets in your deployment configs using secret references.
Pre-built integrations
1Password provides pre-built integrations for the most popular CI/CD platforms, container orchestration tools, and Infrastructure as Code tools. Each integration uses secret references to securely load secrets from 1Password into your pipelines and workflows. Secret references are URIs that point to the names or IDs of the specific vault, item, section, and field where an individual secret is stored in your 1Password account.GitHub Actions
The Load Secrets from 1Password GitHub Action adds a step to your workflow that resolves secret references and exposes them as environment variables or step outputs. To get started:- Create a service account with access to the vaults your pipeline needs.
- Store the service account token as a GitHub repository secret (for example,
OP_SERVICE_ACCOUNT_TOKEN). - Add the
1password/load-secrets-action/configurestep to set the token. - Add the
1password/load-secrets-actionstep to set your environment variables to secret references.
GitHub Actions integration
Full setup guide with examples for service accounts and Connect server.
CircleCI
The 1Password Secrets orb provides two commands for loading secrets:exec (resolves secrets on demand with automatic masking) and export (makes secrets available to subsequent steps). To get started:
- Create a service account and set
OP_SERVICE_ACCOUNT_TOKENin your CircleCI project settings . - Add the
onepassword/secretsorb to yourconfig.yml. - Install 1Password CLI using the
1password/install-clicommand. - Use
1password/execor1password/exportto load secrets in your pipeline steps.
CircleCI integration
Full setup guide with examples for service accounts and Connect server.
Jenkins
The 1Password Secrets plugin for Jenkins loads secrets into pipeline steps using thewithSecrets function. Configuration can be set globally, per folder, or per job, with more specific levels overriding broader ones. To get started:
- Install the 1Password Secrets plugin for Jenkins.
- Install 1Password CLI on the machine running your Jenkins pipelines.
- Configure the plugin with your service account token or Connect server credentials.
- Use the
withSecretsfunction in your Jenkinsfile to access secrets by reference.
Jenkins integration
Full setup guide with Declarative and Scripted Jenkinsfile examples.
Kubernetes
Use the Kubernetes Operator to sync 1Password items to native Kubernetes Secrets, the Kubernetes Secrets Injector to inject secrets directly into pods at runtime (avoiding the need to store them as Kubernetes Secret resources), orop inject to inject secret references in manifests when you deploy.
Kubernetes integrations
Kubernetes Operator, Secrets Injector, and Helm chart integrations.
Terraform, Pulumi, and Ansible
1Password integrates with popular Infrastructure as Code (IaC) tools so you can reference and manage secrets as part of your provisioning workflow without committing plaintext credentials to version control or hardcoding them in HCL or YAML.- Terraform: The 1Password Terraform provider lets you reference 1Password items as data sources or create and update items as managed resources.
- Pulumi: The 1Password Pulumi provider gives you programmatic access to 1Password items in TypeScript, Python, or Go.
- Pulumi ESC: The Pulumi ESC integration lets you dynamically import secrets from 1Password into Pulumi ESC environment definitions for centralized configuration.
- Ansible: The 1Password Ansible collection lets you interact with your 1Password Connect deployment from playbooks. It supports managing 1Password vaults and items through create, read, update, and delete operations.
Terraform provider
Reference, create, or update 1Password items from Terraform.
Pulumi provider
Access vault items programmatically from Pulumi.
Ansible collection
Manage 1Password vaults and items from playbooks with Connect.
Choose your configuration
Use the tables below to find the best tools and authentication method for your deployment use case. Every scenario includes a recommended tool and authentication method.Tool options
- 1Password Environments: Best for managing project secrets in 1Password and eliminating plaintext secrets in code.
- Platform-specific integrations: Load secrets using secret references into Ansible, AWS Secrets Manager, CircleCI, ECS Fargate, GitHub Actions, Jenkins, Kubernetes, Pulumi, and Terraform.
- Secret references: Secure URIs that point to where a secret is stored in 1Password.
- 1Password CLI: Best for quick testing, shell scripts, CI/CD pipelines, Infrastructure as Code, build tools and task runners. Environments require the latest CLI beta.
- 1Password SDKs: Best for native integrations with Go, Python, or JavaScript applications. Environments require the latest SDK beta.
- 1Password Connect Server: Deploy a private REST API within your own infrastructure. After the initial fetch, secrets are cached locally for subsequent requests, reducing latency and dependency on external API availability.
Authentication options
All deployment workflows require non-interactive authentication. 1Password offers two options depending on your infrastructure needs.- 1Password Service Accounts (recommended): Authenticate using a token scoped to least privilege access in specific vaults or Environments, with no user interaction required. Service accounts can’t access your built-in Personal, Private, or Employee vault.
- Connect server token: Authenticate with your Connect server host and token.
Scenarios
CI/CD pipelines
| Use case | Recommended tool | Authentication method | Why this approach |
|---|---|---|---|
| GitHub Actions | GitHub integration + secret references | Service account | The Load Secrets from 1Password GitHub Action loads referenced secrets and makes them available as environment variables or in the action’s output. Secrets are automatically masked in logs. |
| CircleCI | CircleCI integration + secret references | Service account | The 1Password Secrets orb loads referenced secrets on demand using exec or makes them available as environment variables for subsequent steps. The exec command automatically masks secrets. |
| Jenkins | Jenkins integration + secret references | Service account | The 1Password Secrets plugin for Jenkins uses the withSecrets function to load referenced secrets as environment variables. Supports global, folder, and job-level configuration scopes. |
| Other CI/CD platforms (must support shell commands) | CLI + Environments | Service account | Use Environments to pass project variables into CI/CD pipelines that support shell commands. This allows you to organize and switch between secrets by development context. Service accounts provide automated authentication and can be scoped to only the Environments or vaults your pipeline needs access to for least privilege access. |
Containers and orchestration
| Use case | Recommended tool | Authentication method | Why this approach |
|---|---|---|---|
| Docker containers | SDKs + Environments | Service account | Use a 1Password SDK to read secrets from an Environment in your application, keeping credentials out of your Dockerfile, image layers, and docker-compose.yml. |
| Docker Compose | CLI/SDKs + Environments | Service account | Use 1Password SDKs to fetch variables from an Environment within your container’s application code, keeping credentials out of your Dockerfile and image layers, or use 1Password CLI to load an Environment directly into a Docker Compose process. |
| Kubernetes | Kubernetes Operator or Secrets Injector | Service account | The 1Password Kubernetes Operator syncs 1Password items to native Kubernetes Secrets, while the Secrets Injector injects them directly into pods. |
Infrastructure as Code
| Use case | Recommended tool | Authentication method | Why this approach |
|---|---|---|---|
| Terraform | Terraform provider + secret references | Service account | The 1Password Terraform provider lets you reference, create, or update 1Password items as part of your infrastructure provisioning. |
| Pulumi | Pulumi provider + secret references | Service account | The 1Password Pulumi provider allows you to access and manage items in your 1Password vaults. |
| Pulumi ESC | Pulumi ESC integration + secret references | Service account | The 1password-secrets provider allows you to dynamically import secrets from 1Password into your Pulumi ESC environment. |
| Ansible | Ansible collection + secret references | Connect server | If you use a self-deployed Connect server, the 1Password Ansible collection lets you create, read, update, and delete vault items and vaults from playbooks. |
| Other IaC tools (must support shell commands) | CLI + Environments | Service account | Pass sets of variables from Environments using 1Password CLI. Environments allow you to easily manage and share project secrets from 1Password. Switch to secrets for a different development context by pointing to a different Environment ID. |
Production applications
| Use case | Recommended tool | Authentication method | Why this approach |
|---|---|---|---|
| Server-side applications (Go, JavaScript, Python) | SDKs + Environments | Service account | 1Password SDKs provide native language integration with proper error handling and type safety. Environments are best for managing and switching between sets of project variables for different development contexts. Service accounts are best for headless authentication. |
| Self-hosted infrastructure | Connect SDK + secret references | Connect server | 1Password Connect server hosts a private REST API in your own infrastructure, enabling unlimited re-requests and reducing dependency on external API availability. |
| AWS ECS Fargate | ECS Fargate integration + secret references | Connect server | The 1Password ECS Fargate integration uses a sidecar container running 1Password Connect to inject secrets into your task definitions at runtime. |
| AWS deployments | Environments + AWS Secrets Manager sync | Service account | Sync secrets from 1Password Environments directly to AWS Secrets Manager, centralizing management in 1Password and simplifying your AWS workflow. |