> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Secure your deployments
> Use 1Password to securely load secrets into CI/CD, containers, and production applications at runtime.
export const ImageButton = ({src, darkSrc, url, text, height, alt}) =>
{darkSrc ? <>
: }
{text}
;
export const Image = ({src, darkSrc, alt, width, border, height, round}) => {
const classNames = ["mint-mx-4"];
if (border) {
classNames.push("mint-rounded-sm");
}
if (round) {
classNames.push("mint-rounded-lg");
}
const style = {};
if (width) style.width = typeof width === "number" ? `${width}px` : width;
if (height) style.height = typeof height === "number" ? `${height}px` : height;
return darkSrc ? <>
0 ? style : undefined} />
0 ? style : undefined} onError={e => {
e.target.src = src;
}} />
: 0 ? style : undefined} />;
};
Hardcoded secrets in CI/CD pipelines, container images, infrastructure configs, and production environments are a leading cause of credential exposure at scale. For example, if a secret is hardcoded in a `.github/workflows` or `Jenkinsfile`, anyone with access to the repository can see it. A single leaked token can compromise your entire deployment chain, and historically rotating exposed secrets required extensive code and configuration updates.
1Password developer tools eliminate secret sprawl across your deployment infrastructure and make rotating secrets simple. Store your credentials in 1Password, then securely load them into your CI/CD pipelines, containers, and production applications at runtime without exposing anything in plaintext in your source control or configuration files. Rotate your secrets by updating them in 1Password.
**Not sure where to start?** Use the [configuration tables](#choose-your-configuration) to find the best tool and authentication method for your specific use case.
## Environments (beta)
You can use [1Password Environments](/environments) (beta) to store and manage the complete set of secrets for each stage of your deployment infrastructure (for example staging, production, or per-application) then load them all at once at runtime. Because Environments map directly to how applications consume secrets from the environment, they fit naturally into any deployment workflow that uses environment variables or `.env` files.
You can use Environments across your entire deployment infrastructure. For example:
* **CI/CD pipelines**: Use 1Password CLI to [load the variables stored in Environments](/environments/read-environment-variables#cli) into any CI/CD platform that supports shell commands, so your pipeline runs with the right set of secrets for each deployment stage without storing anything in plaintext.
* **Docker containers and Compose**: Use 1Password SDKs to [fetch variables from an Environment](/environments/read-environment-variables#sdks) within your container's application code, keeping credentials out of your Dockerfile and image layers, or use `op run --environment` to [load an Environment directly into a Docker Compose process](/environments/read-environment-variables#cli).
* **Kubernetes**: For application containers, use 1Password SDKs to [fetch variables from an Environment](/environments/read-environment-variables#sdks) in your code, or use 1Password CLI in an [init container](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) to load variables before your main container starts.
* **Server-side applications**: Use 1Password SDKs to [read variables from an Environment in your application](/environments/read-environment-variables#sdks), with native language integration in Go, JavaScript, or Python.
* **AWS deployments**: [Sync secrets from an Environment directly to AWS Secrets Manager](/environments/aws-secrets-manager), centralizing management in 1Password while using native AWS integrations at runtime.
Create and manage Environments.
Load variables from Environments with 1Password CLI or SDKs.
Centralize secrets management and simplify your AWS Secrets Manager workflow.
You can also replace hardcoded secrets in your deployment configs using [secret references](/cli/secret-references).
## Pre-built integrations
1Password provides pre-built integrations for the most popular CI/CD platforms, container orchestration tools, and Infrastructure as Code tools. Each integration uses [secret references](/cli/secret-references) to securely load secrets from 1Password into your pipelines and workflows.
Secret references are URIs that point to the names or IDs of the specific vault, item, section, and field where an individual secret is stored in your 1Password account.
```
op:////[section-name/]
```
When a pipeline step runs, the integration resolves each reference and makes the actual secrets available as environment variables or step outputs. Sensitive values are automatically masked in build logs.
### GitHub Actions
The [Load Secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) adds a step to your workflow that resolves secret references and exposes them as environment variables or step outputs. To get started:
1. [Create a service account](/service-accounts/get-started) with access to the vaults your pipeline needs.
2. Store the service account token as a [GitHub repository secret ](https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets) (for example, `OP_SERVICE_ACCOUNT_TOKEN`).
3. Add the `1password/load-secrets-action/configure` step to set the token.
4. Add the `1password/load-secrets-action` step to set your environment variables to secret references.
Full setup guide with examples for service accounts and Connect server.
### CircleCI
The [1Password Secrets orb ](https://circleci.com/developer/orbs/orb/onepassword/secrets) provides two commands for loading secrets: `exec` (resolves secrets on demand with automatic masking) and `export` (makes secrets available to subsequent steps). To get started:
1. [Create a service account](/service-accounts/get-started) and set `OP_SERVICE_ACCOUNT_TOKEN` in your [CircleCI project settings ](https://circleci.com/docs/guides/about-circleci/introduction-to-the-circleci-web-app/#project-settings).
2. Add the `onepassword/secrets` orb to your [`config.yml` ](https://circleci.com/docs/guides/getting-started/config-intro/).
3. Install 1Password CLI using the [`1password/install-cli` command](/ci-cd/circle-ci#commands).
4. Use [`1password/exec`](/ci-cd/circle-ci#load-secrets-with-the-exec-command) or [`1password/export`](/ci-cd/circle-ci#load-secrets-with-the-export-command) to load secrets in your pipeline steps.
Full setup guide with examples for service accounts and Connect server.
### Jenkins
The [1Password Secrets plugin for Jenkins ](https://plugins.jenkins.io/onepassword-secrets/) loads secrets into pipeline steps using the `withSecrets` function. Configuration can be set globally, per folder, or per job, with more specific levels overriding broader ones. To get started:
1. [Install the 1Password Secrets plugin for Jenkins](/ci-cd/jenkins#install-plugin).
2. [Install 1Password CLI](/ci-cd/jenkins#step-2-install-1password-cli) on the machine running your Jenkins pipelines.
3. [Configure the plugin](/ci-cd/jenkins#step-3-configure-the-1password-secrets-plugin-for-jenkins) with your service account token or Connect server credentials.
4. [Use the `withSecrets` function in your Jenkinsfile](/ci-cd/jenkins#use-with-a-jenkinsfile) to access secrets by reference.
Full setup guide with Declarative and Scripted Jenkinsfile examples.
### Kubernetes
Use the [Kubernetes Operator](/k8s/operator) to sync 1Password items to native Kubernetes Secrets, the [Kubernetes Secrets Injector](/k8s/injector) to inject secrets directly into pods at runtime (avoiding the need to store them as Kubernetes Secret resources), or [`op inject`](/cli/secrets-config-files) to inject secret references in manifests when you deploy.
Kubernetes Operator, Secrets Injector, and Helm chart integrations.
### Terraform, Pulumi, and Ansible
1Password integrates with popular Infrastructure as Code (IaC) tools so you can reference and manage secrets as part of your provisioning workflow without committing plaintext credentials to version control or hardcoding them in HCL or YAML.
* **Terraform**: The [1Password Terraform provider](/terraform) lets you reference 1Password items as data sources or create and update items as managed resources.
* **Pulumi**: The [1Password Pulumi provider](/pulumi) gives you programmatic access to 1Password items in TypeScript, Python, or Go.
* **Pulumi ESC**: The Pulumi ESC integration lets you dynamically import secrets from 1Password into [Pulumi ESC environment definitions ](https://www.pulumi.com/docs/esc/providers/1password-secrets/) for centralized configuration.
* **Ansible**: The [1Password Ansible collection](/connect/ansible-collection) lets you interact with your 1Password Connect deployment from playbooks. It supports managing 1Password vaults and items through create, read, update, and delete operations.
Reference, create, or update 1Password items from Terraform.
Access vault items programmatically from Pulumi.
Manage 1Password vaults and items from playbooks with Connect.
## Choose your configuration
Use the tables below to find the best tools and authentication method for your deployment use case. Every scenario includes a recommended [tool](#tool-options) and [authentication method](#authentication-options).
### Tool options
* [1Password Environments](#environments-beta): Best for managing project secrets in 1Password and eliminating plaintext secrets in code.
* [Platform-specific integrations](/integrations): Load secrets using secret references into Ansible, AWS Secrets Manager, CircleCI, ECS Fargate, GitHub Actions, Jenkins, Kubernetes, Pulumi, and Terraform.
* [Secret references](/cli/secret-references): Secure URIs that point to where a secret is stored in 1Password.
* [1Password CLI](/cli/get-started): Best for quick testing, shell scripts, CI/CD pipelines, Infrastructure as Code, build tools and task runners. Environments require the [latest CLI beta](/environments/read-environment-variables#cli).
* [1Password SDKs](/sdks): Best for native integrations with Go, Python, or JavaScript applications. Environments require the [latest SDK beta](/environments/read-environment-variables#sdks).
* [1Password Connect Server](/connect/get-started): Deploy a private REST API within your own infrastructure. After the initial fetch, secrets are cached locally for subsequent requests, reducing latency and dependency on external API availability.
### Authentication options
All deployment workflows require non-interactive authentication. 1Password offers two options depending on your infrastructure needs.
* [1Password Service Accounts](/service-accounts/get-started) **(recommended)**: Authenticate using a token scoped to least privilege access in specific vaults or Environments, with no user interaction required. Service accounts can’t access your built-in [Personal](https://support.1password.com/1password-glossary#personal-vault), [Private](https://support.1password.com/1password-glossary#private-vault), or [Employee](https://support.1password.com/1password-glossary#employee-vault) vault.
* [Connect server token](/connect/get-started): Authenticate with your Connect server host and token.
### Scenarios
#### CI/CD pipelines
| Use case | Recommended tool | Authentication method | Why this approach |
| ------------------------------------------------------- | ----------------------------------------------------------------------------------------- | ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **GitHub Actions** | [GitHub integration](/ci-cd/github-actions) + [secret references](/cli/secret-references) | [Service account](/service-accounts/get-started) | The Load Secrets from 1Password GitHub Action loads referenced secrets and makes them available as environment variables or in the action's output. Secrets are automatically masked in logs. |
| **CircleCI** | [CircleCI integration](/ci-cd/circle-ci) + [secret references](/cli/secret-references) | [Service account](/service-accounts/get-started) | The 1Password Secrets orb loads referenced secrets on demand using `exec` or makes them available as environment variables for subsequent steps. The `exec` command automatically masks secrets. |
| **Jenkins** | [Jenkins integration](/ci-cd/jenkins) + [secret references](/cli/secret-references) | [Service account](/service-accounts/get-started) | The 1Password Secrets plugin for Jenkins uses the `withSecrets` function to load referenced secrets as environment variables. Supports global, folder, and job-level configuration scopes. |
| **Other CI/CD platforms** (must support shell commands) | [CLI](/cli/get-started) + [Environments](/environments) | [Service account](/service-accounts/get-started) | Use Environments to pass project variables into CI/CD pipelines that support shell commands. This allows you to organize and switch between secrets by development context. Service accounts provide automated authentication and can be scoped to only the Environments or vaults your pipeline needs access to for least privilege access. |
#### Containers and orchestration
| Use case | Recommended tool | Authentication method | Why this approach |
| --------------------- | ------------------------------------------------------------------------------------ | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Docker containers** | [SDKs](/sdks) + [Environments](/environments) | [Service account](/service-accounts/get-started) | Use a 1Password SDK to read secrets from an Environment in your application, keeping credentials out of your Dockerfile, image layers, and `docker-compose.yml`. |
| **Docker Compose** | [CLI/SDKs](/environments/read-environment-variables) + [Environments](/environments) | [Service account](/service-accounts/get-started) | Use 1Password SDKs to fetch variables from an Environment within your container’s application code, keeping credentials out of your Dockerfile and image layers, or use 1Password CLI to load an Environment directly into a Docker Compose process. |
| **Kubernetes** | [Kubernetes Operator](/k8s/operator) or [Secrets Injector](/k8s/injector) | [Service account](/service-accounts/get-started) | The 1Password Kubernetes Operator syncs 1Password items to native Kubernetes Secrets, while the Secrets Injector injects them directly into pods. |
#### Infrastructure as Code
| Use case | Recommended tool | Authentication method | Why this approach |
| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Terraform** | [Terraform provider](/terraform) + [secret references](/cli/secret-references) | [Service account](/service-accounts/get-started) | The 1Password Terraform provider lets you reference, create, or update 1Password items as part of your infrastructure provisioning. |
| **Pulumi** | [Pulumi provider](/pulumi) + [secret references](/cli/secret-references) | [Service account](/service-accounts/get-started) | The 1Password Pulumi provider allows you to access and manage items in your 1Password vaults. |
| **Pulumi ESC** | [Pulumi ESC integration](https://www.pulumi.com/docs/esc/providers/1password-secrets/) + [secret references](/cli/secret-references) | [Service account](/service-accounts/get-started) | The 1password-secrets provider allows you to dynamically import secrets from 1Password into your Pulumi ESC environment. |
| **Ansible** | [Ansible collection](/connect/ansible-collection) + [secret references](/cli/secret-references) | [Connect server](/connect/get-started) | If you use a self-deployed Connect server, the 1Password Ansible collection lets you create, read, update, and delete vault items and vaults from playbooks. |
| **Other IaC tools** (must support shell commands) | [CLI](/environments/read-environment-variables#cli) + [Environments](/environments) | [Service account](/service-accounts/get-started) | Pass sets of variables from Environments using 1Password CLI. Environments allow you to easily manage and share project secrets from 1Password. Switch to secrets for a different development context by pointing to a different Environment ID. |
#### Production applications
| Use case | Recommended tool | Authentication method | Why this approach |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Server-side applications** (Go, JavaScript, Python) | [SDKs](/sdks) + [Environments](/environments) | [Service account](/service-accounts/get-started) | 1Password SDKs provide native language integration with proper error handling and type safety. Environments are best for managing and switching between sets of project variables for different development contexts. Service accounts are best for headless authentication. |
| **Self-hosted infrastructure** | [Connect SDK](/connect) + [secret references](/cli/secret-references) | [Connect server](/connect/get-started) | 1Password Connect server hosts a private REST API in your own infrastructure, enabling unlimited re-requests and reducing dependency on external API availability. |
| **AWS ECS Fargate** | [ECS Fargate integration](/connect/aws-ecs-fargate) + [secret references](/cli/secret-references) | [Connect server](/connect/get-started) | The 1Password ECS Fargate integration uses a sidecar container running 1Password Connect to inject secrets into your task definitions at runtime. |
| **AWS deployments** | [Environments](/environments) + [AWS Secrets Manager sync](/environments/aws-secrets-manager) | [Service account](/service-accounts/get-started) | Sync secrets from 1Password Environments directly to AWS Secrets Manager, centralizing management in 1Password and simplifying your AWS workflow. |
## Get help
To get help, join the discussion in our [Developer community](https://www.1password.community/category/discuss/discussions/developers) or join our [Developer Slack workspace](https://developer.1password.com/joinslack).