Get started with 1Password Service Accounts

With 1Password Service Accounts, you can build tools to automate secrets management in your applications and infrastructure without deploying additional services. Service accounts can:

Create, edit, delete, and share items.
Create vaults.
Delete vaults.
A service account can only delete a vault it created. See service account security.
Retrieve information about users and groups.

Each service account has a service account token that you can provide as an environment variable for authentication. You can choose which vaults the service account can access and its permissions in each vault.

Limitations

Service accounts have the following limitations:

Service accounts have rate limits and request quotes.
You can’t grant a service account access to your built-in Personal, Private, or Employee vault, or your default Shared vault.
Service accounts only work with 1Password CLI version 2.18.0 or later. See Use service accounts with 1Password CLI.
You can’t use service accounts with the Kubernetes Operator (only the Kubernetes Secrets Injector).

Requirements

Before you can create and use service accounts, you’ll need to:

Sign up for 1Password.
Have adequate account permissions to create service accounts.

If you don’t see the option to create service accounts, ask your administrator to give you access to create and manage service accounts.

Create a service account

You can create a service account on 1Password.com or with 1Password CLI. Service account permissions and vault access are immutable. If you want to grant a service account access to additional vaults, change the permissions it has in the vaults it can access, or change its ability to create new vaults, you’ll need to create a new service account with the appropriate permissions and access.

1Password.com
1Password CLI

To create a service account on 1Password.com:

Sign in to your account on 1Password.com.
Open the service account creation wizard.
Or navigate to Developer > Directory, select Other under Infrastructure Secrets Management, then select Create a Service Account.
Follow the onscreen instructions:
1. Choose a name for the service account.
2. Choose whether the service account can create vaults.
3. Choose the vaults the service account can access.
  You can’t grant a service account access to your built-in Personal, Private, or Employee vault, or your default Shared vault.
4. Select the settings icon next to each vault to choose the permissions the service account has in the vault. This can’t be changed later.
5. Select Create Account to create the service account.
6. Select Save in 1Password to save the service account token in your 1Password account. In the next window, enter a name for the item and choose the vault where you want to save it.

The service account creation wizard only shows the service account token once. Save the token in 1Password immediately to avoid losing it. Treat this token like a password, and don’t store it in plaintext.

You can find your new service account under “Service accounts” on the Developer page.

To create a service account with 1Password CLI:

Make sure you have the latest version of 1Password CLI on your machine.
Create a new service account using the op service-account create command:
```
op service-account create <serviceAccountName> --expires-in <duration> --vault <vault-name:<permission>,<permission>
```
Available permissions: read_items, write_items (requires read_items), share_items (requires read_items) Include the --can-create-vaults flag to allow the service account to create new vaults. If the service account or vault name contains one or more spaces, enclose the name in quotation marks (for example, “My Service Account”). You don’t need to enclose strings in quotation marks if they don’t contain spaces (for example, myServerName). Service accounts can’t be modified after they’re created. If you need to make changes, revoke the service account and create a new one.
Save the service account token in your 1Password account.
If you want to start using the service account with 1Password CLI, export the token to the OP_SERVICE_ACCOUNT_TOKEN environment variable.

For example, to create a service account named My Service Account that has read and write permissions in a vault named Production, can create new vaults, and expires in 24 hours:

op service-account create "My Service Account" --can-create-vaults --expires-in 24h --vault Production:read_items,write_items

1Password CLI only returns the service account token once. Save the token in 1Password immediately to avoid losing it. Treat this token like a password, and don’t store it in plaintext.

If your sign-in address changes, you’ll need to rotate your service account tokens.

Next steps

Explore the following to learn about how you can use service accounts.

Need help?Join our Developer Slack workspace to ask questions and provide feedback.

Secrets Automation

​Requirements

​Create a service account

​Next steps

Requirements

Create a service account

Next steps