With 1Password Service Accounts, you can build tools to automate secrets management in your applications and infrastructure without deploying additional services.Service accounts can:
Each service account has a service account token that you can provide as an environment variable for authentication. You can choose which vaults and Environments the service account can access and its permissions in each vault.
You can create a service account on 1Password.com or with 1Password CLI.Service account permissions, vault access, and Environment access are immutable. If you want to grant a service account access to additional vaults or Environments, change the permissions it has in the vaults it can access, or change its ability to create new vaults, you’ll need to create a new service account with the appropriate permissions and access.
Choose whether the service account can create vaults.
Choose the vaults the service account can access.
Select the settings icon next to each vault to choose the permissions the service account has in the vault. This can’t be changed later.
Choose which 1Password Environments the service account can access. This can’t be changed later.
Select Create Account to create the service account.
Select Save in 1Password to save the service account token in your 1Password account. In the next window, enter a name for the item and choose the vault where you want to save it.
The service account creation wizard only shows the service account token once. Save the token in 1Password immediately to avoid losing it. Treat this token like a password, and don’t store it in plaintext.
You can find your new service account under “Service accounts” on the Developer page.
Use the service account creation wizard on 1Password.com if you want to create a service account that can access 1Password Environments.
To create a service account with 1Password CLI:
Make sure you have the latest version of 1Password CLI on your machine.
op service-account create <serviceAccountName> --expires-in <duration> --vault <vault-name:<permission>,<permission>
Available permissions: read_items, write_items (requires read_items), share_items (requires read_items)Include the --can-create-vaults flag to allow the service account to create new vaults.If the service account or vault name contains one or more spaces, enclose the name in quotation marks (for example, “My Service Account”). You don’t need to enclose strings in quotation marks if they don’t contain spaces (for example, myServerName).Service accounts can’t be modified after they’re created. If you need to make changes, revoke the service account and create a new one.
Save the service account token in your 1Password account.
For example, to create a service account named My Service Account that has read and write permissions in a vault named Production, can create new vaults, and expires in 24 hours:
op service-account create "My Service Account" --can-create-vaults --expires-in 24h --vault Production:read_items,write_items
1Password CLI only returns the service account token once. Save the token in 1Password immediately to avoid losing it. Treat this token like a password, and don’t store it in plaintext.
