Skip to main content
You can use the 1Password provider for Pulumi to access and manage items in your 1Password vaults.

Requirements

The provider can be configured to authenticate with a service account, a Connect server, or with your 1Password account details.
1Password Service Accounts allow you to restrict the provider’s access to specific vaults in your 1Password account, so you can follow the principle of least privilege in your project.To use a service account with the 1Password provider for Pulumi, you’ll need:

Step 1: Install the 1Password provider for Pulumi

With a package manager

To use the provider with JavaScript or TypeScript in Node.js, install using either npm or yarn:
npm install @1password/pulumi-onepassword

With the provider binary

To install the 1Password provider binary, use the pulumi plugin command: 
pulumi plugin install resource onepassword <version> --server github://api.github.com/1Password/pulumi-onepassword

Step 2: Configure the provider with your credentials

You can provide your 1Password credentials to Pulumi in the environment or in your Pulumi configuration. Your Pulumi configuration is a good option if you want to store your credentials alongside your Pulumi stack for multi-user access.
  1. Create a service account or find the token for an existing service account. Make sure the service account has access to the appropriate vaults and adequate permissions in those vaults.
  2. Provide the token to Pulumi using either an environment variable or your Pulumi configuration.

    Environment variable

    export OP_SERVICE_ACCOUNT_TOKEN=<your-service-account-token>

    Pulumi configuration

    Make sure to pass --secret when setting sensitive data.
  3. Install 1Password CLI in your PATH. If you install the CLI outside of your PATH, specify the path to your 1Password CLI binary using either an environment variable or your Pulumi configuration.

    Environment variable

    export OP_CLI_PATH=<path-to-your-cli-binary>

    Pulumi configuration

Step 3: Use the provider

See Pulumi’s documentation to learn how to access and manage your items using the 1Password provider.

Reference

You can use either Pulumi configuration keys or environment variables to provide your 1Password credentials to Pulumi.
Configuration keyEnvironment variableDescriptionAuthentication method
pulumi-onepassword:service_account_tokenOP_SERVICE_ACCOUNT_TOKENThe string value of your 1Password Service Account token.Service account
pulumi-onepassword:urlOP_CONNECT_HOSTThe URL where your 1Password Connect Server can be found. For example: http://localhost:8080.Connect server
pulumi-onepassword:tokenOP_CONNECT_TOKENThe string value of your Connect server token.Connect server
pulumi-onepassword:accountOP_ACCOUNTA 1Password account sign-in address or unique identifier.Account details
pulumi-onepassword:op_cli_pathOP_CLI_PATHThe path to your 1Password CLI binary. Only required if 1Password CLI binary is located outside of your PATH.
  • Service account
  • Account details