> ## Documentation Index > Fetch the complete documentation index at: https://www.1password.dev/llms.txt > Use this file to discover all available pages before exploring further. # Use the 1Password Terraform provider export const Image = ({src, darkSrc, alt, width, border, height, round}) => { const classNames = ["mint-mx-4"]; if (border) { classNames.push("mint-rounded-sm"); } if (round) { classNames.push("mint-rounded-lg"); } const style = {}; if (width) style.width = typeof width === "number" ? `${width}px` : width; if (height) style.height = typeof height === "number" ? `${height}px` : height; return darkSrc ? <> {alt} 0 ? style : undefined} /> {alt} 0 ? style : undefined} onError={e => { e.target.src = src; }} /> : {alt} 0 ? style : undefined} />; }; export const YouTubeVideo = ({src, title, alt}) => { return ; }; export const Small = ({children}) => { return {children}; }; With the [1Password Terraform provider ](https://github.com/1Password/terraform-provider-onepassword), you can reference, create, or update items in your vaults using a [1Password Connect Server](/secrets-automation#1password-connect-servers), a [1Password Service Account](/secrets-automation#1password-service-accounts), or the 1Password desktop app. ## Requirements * [Create a Connect server.](/connect/get-started/#step-1) * [Create a service account](/service-accounts/get-started#create-a-service-account) * Install the latest [beta release](https://support.1password.com/betas#install-a-prerelease-version-of-the-1password-app) of the 1Password desktop app. If you don't see the option to update to the latest beta in the app, you can download it directly for [Mac](https://releases.1password.com/mac/beta/), [Windows](https://releases.1password.com/windows/beta/), or [Linux](https://releases.1password.com/linux/beta/). ## Get started To use the 1Password Terraform provider with a Connect server: 1. Specify the Connect server token. You can set this value with the `OP_CONNECT_TOKEN` environment variable or with the `connect_token` field in the provider configuration. 2. Specify the Connect server hostname, URL, or IP address. You can set this value with the `OP_CONNECT_HOST` environment variable or with the `connect_url` field in the provider configuration. To use the 1Password Terraform provider with a service account, you'll need to provide your service account token. You can set this value with the `OP_SERVICE_ACCOUNT_TOKEN` environment variable or with the `service_account_token` field in the provider configuration. First, turn on the "Integrate with other apps" setting in the 1Password desktop app. If you don't see this setting, make sure you've installed the [beta version](https://support.1password.com/betas#install-a-prerelease-version-of-the-1password-app) of the app.
1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 4. Under Integrate with the 1Password SDKs, select **Integrate with other apps**. 5. If you want to authenticate with Touch ID, navigate to **Settings** > **[Security](onepassword://settings/security)**, then turn on **[Unlock using Touch ID](https://support.1password.com/touch-id-mac/)**.
The Integrate with other apps setting
1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 4. Under Integrate with the 1Password SDKs, select **Integrate with other apps**. 5. If you want to authenticate with Windows Hello, navigate to **Settings** > **[Security](onepassword://settings/security)**, then turn on **[Unlock using Windows Hello](https://support.1password.com/windows-hello/)**.
The Integrate with other apps setting
1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 4. Under Integrate with the 1Password SDKs, select **Integrate with other apps**. 5. If you want to authenticate the same way you sign in to your Linux account, navigate to **Settings** > **[Security](onepassword://settings/security)**, then turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**.
The Integrate with other apps setting
Then provide your account name or ID in the provider configuration: 1. Get the name of your 1Password account as it appears at the top of the left sidebar in the 1Password desktop app. Alternatively, you can use [1Password CLI](/cli/get-started) to run `op account get` to find your account ID. 2. Set the `OP_ACCOUNT` environment variable or `account` in the provider configuration to your account name or ID. Run a Terraform command that requires authentication, and you'll be prompted to authenticate in the same way you unlock your 1Password app, like with biometrics or your 1Password account password. ## Reference The following sections contain reference information for the 1Password Terraform provider: * [Configuration](#configuration) * [Resources](#resources) * [Data sources](#data-sources) ### Configuration The 1Password Terraform provider has fields you must set before you can use it with a 1Password Connect server, service account, or the 1Password desktop app. The following table describes each field. | Field | Type | Description | Required | | ----------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | | `connect_token` | String | A valid token for the 1Password Connect server. You can also source the value from the `OP_CONNECT_TOKEN` environment variable. | Required if using a Connect server. | | `connect_url` | String | The HTTP(s) URL of the 1Password Connect server. You can also source the value from the `OP_CONNECT_HOST` environment variable. | Required if using a Connect server. | | `service_account_token` | String | A valid token for the 1Password Service Account. You can also source the value from the `OP_SERVICE_ACCOUNT_TOKEN` environment variable. | Required if using a service account. | | `account` | String | The 1Password account name as it appears at the top left of the sidebar in the 1Password desktop app. Alternatively, the 1Password account ID. You can also source the value from the `ACCOUNT` environment variable. | Required if using the 1Password desktop app integration. | You can use the following environment variables to specify configuration values. | Environment variable | Description | Configuration field | | -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | | `OP_CONNECT_TOKEN` | A valid token for the 1Password Connect server. | `connect_token` | | `OP_CONNECT_HOST` | The hostname, IP address, or URL of the 1Password Connect server. | `connect_url` | | `OP_SERVICE_ACCOUNT_TOKEN` | A valid token for the 1Password Service Account. | `service_account_token` | | `OP_ACCOUNT` | The 1Password account name as it appears at the top left of the sidebar in the 1Password desktop app. Alternatively, the 1Password account ID. | `account` | #### Configuration examples The following code blocks show configuration examples. The following examples use environment variables. Make sure to set the environment variables beforehand or use plain text. The following example shows a provider configuration using a Connect server: ```terraform connect-example.tf theme={null} provider "onepassword" { connect_url = "OP_CONNECT_HOST" connect_token = "OP_CONNECT_TOKEN" } ``` The following example shows a provider configuration using a service account: ```terraform service-account-example.tf theme={null} provider "onepassword" { service_account_token = "OP_SERVICE_ACCOUNT_TOKEN" } ``` The following example shows a provider configuration using the 1Password desktop app: ```terraform 1password-account-example.tf theme={null} provider "onepassword" { account = "OP_ACCOUNT" } ``` ### Resources The 1Password Terraform provider has the following resources: * [`onepassword_item` resource](#item-resource) #### Item resource The `onepassword_item` resource represents a 1Password item. You can import a `onepassword_item` with the following syntax: ```shell theme={null} terraform import onepassword_item. vaults//items/ ``` ##### Schema The following tables describe the `onepassword_item` resource schema. | Field | Type | Description | Required | Access | | ----------------------- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | `vault` | String | The UUID of the vault the item is in. | Yes | Read-Write | | `category` | String | The category of the item.

**Acceptable values**: `login`, `password`, or `database`. | No | Read-Write | | `database` | String | The name of the database. Only applies to the database category. | No | Read-Write | | `hostname` | String | The address where the database can be found. Only applies to the database category. | No | Read-Write | | `note_value` | String, Sensitive | Secure note value. | No | Read-Write | | `note_value_wo` | String, Sensitive | A write-only secure note value. This value is not stored in the state and is intended for use with ephemeral values. Requires Terraform 1.11 or later. | No | [Write-only ](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) | | `note_value_wo_version` | Number | An integer that must be incremented to trigger an update to the `note_value_wo` field. | No | [Write-only ](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) | | `password` | String, Sensitive | The password for the item. | No | Read-Write | | `password_wo` | String, Sensitive | A write-only password. This value is not stored in the state and is intended for use with ephemeral values. Requires Terraform 1.11 or later. | No | [Write-only ](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) | | `password_wo_version` | Number | An integer that must be incremented to trigger an update to the `password_wo` field. | No | [Write-only ](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) | | `password_recipe` | Block List, Max: 1 | The password recipe for the item. Only applies to Login and Password items. See [`password_recipe`](#password_recipe). | No | Read-Write | | `password_wo` | String, Sensitive | A write-only password. This value is not stored in the state and is intended for use with ephemeral values. Requires Terraform 1.11 or later. | No | [Write-only ](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) | | `password_wo_version` | Number | An integer that must be incremented to trigger an update to the `password_wo` field. | No | [Write-only ](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments) | | `port` | String | The port the database is listening on. Only applies to the database category. | No | Read-Write | | `section` | Block List | A list of custom sections in the item. See [`section`](#section). | No | Read-Write | | `section_map` | Map of Object | A map of custom sections for the item, where `label` is the map key. See [`section_map`](#section_map). | No | Read-Write | | `tags` | List of String | An array of strings representing the tags assigned to the item. | No | Read-Write | | `title` | String | The title of the item. | No | Read-Write | | `type` | String | The type of database. Only applies to the database category.

**Acceptable values**: `db2`, `filemaker`, `msaccess`, `mssql`, `mysql`, `oracle`, `postgresql`, `sqlite` or `other`. | No | Read-Write | | `url` | String | The primary URL for the item. | No | Read-Write | | `username` | String | The username for the item. | No | Read-Write | | `id` | String | The Terraform resource identifier for the item in the format `vaults//items/`. | N/A | Read-Only | | `uuid` | String | The UUID of the item. Item identifiers are unique within a specific vault. | N/A | Read-Only | ###### `password_recipe` Password recipes can only be added to Login and Password items. The nested schema for the `password_recipe` field: | Field | Type | Description | Required | Access | | --------- | ------- | ---------------------------------------------------- | -------- | ---------- | | `digits` | Boolean | Use digits `[0-9]` when generating the password. | No | Read-Write | | `length` | Number | The length of the password to be generated. | No | Read-Write | | `symbols` | Boolean | Use symbols `[!@.-_*]` when generating the password. | No | Read-Write | ###### `section` The nested schema for the `section` field: | Field | Type | Description | Required | Access | | ------- | ---------- | -------------------------------------------------------------------------------------------- | -------- | ---------- | | `label` | String | The label for the section. | Yes | Read-Write | | `field` | Block List | A list of custom fields in the section. See [`section.field`](#item-resource-section-field). | No | Read-Write | | `id` | String | A unique identifier for the section. | N/A | Read-Only | ###### `section_map` The nested schema for the `section_map` field: | Field | Type | Description | Required | Access | | ----------- | ------------- | --------------------------------------------------------------------------------------------------- | -------- | ---------- | | `field_map` | Map of Object | A map of custom fields in the section, where `label` is the map key. See [`field_map`](#field_map). | No | Read-Write | | `id` | String | A unique identifier for the section. | N/A | Read-Only | ###### `section.field` The nested schema for the `section.field` field: | Field | Type | Description | Required | Access | | ----------------- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ---------- | | `label` | String | The label for the field. | Yes | Read-Write | | `id` | String | A unique identifier for the field. | No | Read-Write | | `password_recipe` | String | The password for the item. Only applies to Login and Password items. See [`section.field.password_recipe`](#item-resource-section-field-password-recipe). | No | Read-Write | | `type` | String | The type of value stored in the field.

**Acceptable values**: `STRING`, `EMAIL`, `CONCEALED`, `URL`, `OTP`, `DATE`, `MONTH_YEAR`, or `MENU`. | No | Read-Write | | `value` | String, Sensitive | The value of the field. | No | Read-Write | ###### `field_map` The nested schema for the `field_map` field: | Field | Type | Description | Required | Access | | ----------------- | ---------------------------------- | -------------------------------------- | ---------- | ---------- | | `id` | String | A unique identifier for the field. | N/A | Read-Only | | `password_recipe` | The password recipe for the field. | No | Read-Write | | | `type` | String | The type of value stored in the field. | No | Read-Write | | `value` | String, Sensitive | The value of the field. | No | Read-Write | ###### `section.field.password_recipe` Password recipes can only be added to Login and Password items. The nested schema for the `section.field.password_recipe` field: | Field | Type | Description | Required | Access | | --------- | ------- | ---------------------------------------------------- | -------- | ---------- | | `digits` | Boolean | Use digits `[0-9]` when generating the password. | No | Read-Write | | `length` | Number | The length of the password to be generated. | No | Read-Write | | `symbols` | Boolean | Use symbols `[!@.-_*]` when generating the password. | No | Read-Write | ##### Example The following code block shows an example usage of the `onepassword_item` resource. ```terraform resource.tf theme={null} resource "onepassword_item" "demo_password" { vault = var.demo_vault title = "Demo Password Recipe" category = "password" password_recipe { length = 40 symbols = false } } resource "onepassword_item" "demo_login" { vault = var.demo_vault title = "Demo Terraform Login" category = "login" username = "test@example.com" } resource "onepassword_item" "demo_db" { vault = var.demo_vault category = "database" type = "mysql" title = "Demo TF Database" username = "root" database = "Example MySQL Instance" hostname = "localhost" port = 3306 } ``` ### Data sources The 1Password Terraform provider has the following data sources: * [`onepassword_item` data source](#item-data-source) * [`onepassword_vault` data source](#vault-data-source) #### Item data source Use the `onepassword_item` data source to get details of a 1Password item. You can identify an item by its vault UUID and either the item's title or UUID. ##### Schema The following tables describe the `onepassword_item` resource schema. | Field | Type | Description | Required | Access | | ------------ | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ---------- | | `vault` | String | The UUID of the vault the item is in. | Yes | Read-Write | | `note_value` | String, Sensitive | The Secure Note value. | No | Read-Write | | `title` | String | The title of the item to retrieve. This field populates with the title of the item if the item is looked up by its UUID. | No | Read-Write | | `uuid` | String | The UUID of the item to retrieve. This field populates with the UUID of the item if the item is looked up by its title. | No | Read-Write | | `category` | String | The category of the item.

**Acceptable values**: `login`, `password`, or `database`. | No | Read-Only | | `database` | String | The name of the database. Only applies to the database category. | No | Read-Only | | `hostname` | String | The address where the database can be found. Only applies to the database category. | No | Read-Only | | `id` | String | The Terraform resource identifier for the item in the format `vaults//items/`. | No | Read-Only | | `password` | String, Sensitive | The password for the item. | No | Read-Only | | `port` | String | The port the database is listening on. Only applies to the database category. | No | Read-Only | | `section` | List of Object | A list of custom sections in an item. | No | Read-Only | | `tags` | List of String | An array of strings of the tags assigned to the item. | No | Read-Only | | `type` | String | The type of database. Only applies to the database category.

**Acceptable values**: `db2`, `filemaker`, `msaccess`, `mssql`, `mysql`, `oracle`, `postgresql`, `sqlite`, or `other`. | No | Read-Only | | `url` | String | The primary URL for the item. | No | Read-Only | | `username` | String | The username for the item. | No | Read-Only | ###### `section` The nested schema for the `section` field: | Field | Type | Description | Required | Access | | ------- | -------------- | ------------------------------------------------------------------------------------------------ | -------- | --------- | | `field` | List of Object | A list of custom fields in the section. See [`section.field`](#item-data-source-section-field). | N/A | Read-Only | | `id` | String | A unique identifier for the section. | N/A | Read-Only | | `label` | String | The label for the section. | N/A | Read-Only | ###### `section.field` The nested schema for the `section.field` field: | Field | Type | Description | Required | Access | | ------- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------- | | `id` | String | A unique identifier for the field. | N/A | Read-Only | | `label` | String | The label for the field. | N/A | Read-Only | | `type` | String | The type of value stored in the field.

**Acceptable values**: `STRING`, `EMAIL`, `CONCEALED`, `URL`, `OTP`, `DATE`, `MONTH_YEAR`, or `MENU`. | N/A | Read-Only | | `value` | String, Sensitive | The value of the field. | N/A | Read-Only | ##### Example The following example shows how to use the `onepassword_item` data source. ```terraform data-source.tf theme={null} data "onepassword_item" "example" { vault = var.demo_vault uuid = onepassword_item.demo_sections.uuid } ``` #### Vault data source Use the `onepassword_vault` data source to get details of a vault. You can identify a vault with the vault name or UUID. ##### Schema The following tables describe the `onepassword_vault` resource schema. | Field | Type | Description | Required | Access | | ------------- | ------ | ------------------------------------------------------------------------------------------------------------------------- | -------- | ---------- | | `name` | String | The name of the vault to retrieve. This field populates with the name of the vault if the vault is looked up by its UUID. | No | Read-Write | | `uuid` | String | The UUID of the vault to retrieve. This field populates with the UUID of the vault if the vault is looked up by its name. | No | Read-Write | | `description` | String | The description of the vault. | No | Read-Only | | `id` | String | The Terraform resource identifier for this item in the format `vaults/`. | No | Read-Only | ### Ephemeral resources The 1Password Terraform provider has the following ephemeral resources: * [`onepassword_item` ephemeral resource](#item-ephemeral-resource)

Item ephemeral resource

The `onepassword_item` ephemeral resource represents a 1Password item. Use it to retrieve item values without storing them in Terraform state. This is useful for providing sensitive values to write-only arguments or other ephemeral contexts. ##### Schema | Field | Type | Description | Required | Access | | --------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------- | ---------- | | `vault` | String | The UUID of the vault the item is in. | Yes | Read-Write | | `title` | String | The title of the item to retrieve. This field will be populated with the title of the item if the item it looked up by its UUID. | No | Read-Write | | `uuid` | String | The UUID of the item to retrieve. This field will be populated with the UUID of the item if the item it looked up by its title. | No | Read-Write | | `credential` | String, Sensitive | API credential for this item. Only applies to the API credential category. | No | Read-Only | | `database` | String | The name of the database. Only applies to the database category. | No | Read-Only | | `hostname` | String | The address where the database can be found. Only applies to the database category. | No | Read-Only | | `id` | String | The Terraform resource identifier for the item in the format `vaults//items/`. | No | Read-Only | | `note_value` | String, Sensitive | Secure Note value. | No | Read-Only | | `password` | String, Sensitive | Password for this item. | No | Read-Only | | `port` | String | The port the database is listening on. Only applies to the database category. | No | Read-Only | | `private_key` | String, Sensitive | SSH Private Key in PKCS#8 for this item. | No | Read-Only | | `private_key_openssh` | String, Sensitive | SSH Private key in OpenSSH format. | No | Read-Only | | `public_key` | String | SSH Public Key for this item. | No | Read-Only | | `type` | String | The type of database or API Credential. Only applies to database and API credential categories | No | Read-Only | | `url` | String | The primary URL for the item. | No | Read-Only | | `username` | String | Username for this item. | No | Read-Only | #### Example ```terraform theme={null} # Example using ephemeral resource to retrieve item values ephemeral "onepassword_item" "example" { vault = "your-vault-id" title = "your-item-title" } # Example using UUID instead of title ephemeral "onepassword_item" "example_by_uuid" { vault = "your-vault-id" uuid = "your-item-uuid" } ``` ## Learn more * [Changelog](https://github.com/1Password/terraform-provider-onepassword/blob/main/CHANGELOG.md)