Use the 1Password CLI (op) to pull secrets directly into your shell scripts, CI/CD pipelines, and container orchestration workflows – eliminating hardcoded credentials entirely. Install it with brew install --cask 1password-cli, authenticate with op signin, and retrieve any secret using op item get "Item Name" --field password. This guide walks through environment variable injection, GitHub Actions integration, Kubernetes secrets, and security best practices for automated secret management.

Installing and Configuring the 1Password CLI

The 1Password CLI (op) provides a powerful way to interact with your vault from the terminal. Install it using Homebrew on macOS:

brew install --cask 1password-cli

For Linux or Windows WSL, you can download the appropriate binary from the 1Password GitHub repository. After installation, sign in to your account:

op signin

This command initiates an authentication flow that opens your default browser. Once authenticated, you can start retrieving secrets programmatically.

Retrieving Secrets in Scripts

The fundamental operation involves fetching individual items from your vault. The basic syntax uses the item name or UUID:

# Retrieve a password for a specific item
op item get "Database Password" --field password

# Get a specific field from an item
op item get "AWS Production" --field "API Key"

For more complex scenarios, you can output items as JSON for parsing:

op item get "Production API Keys" --format json

This JSON output integrates cleanly with shell scripts using tools like jq:

#!/bin/bash
API_KEY=$(op item get "API Gateway" --field "client_secret" --format json | jq -r '.value')
export API_KEY

Environment Variable Integration

One of the most practical applications involves loading secrets as environment variables before running applications. Create a script that sources your secrets:

#!/bin/bash
# load-secrets.sh

# Authenticate if needed
if ! op account get > /dev/null 2>&1; then
    op signin
fi

# Export secrets as environment variables
export DATABASE_PASSWORD=$(op item get "PostgreSQL" --field password)
export STRIPE_API_KEY=$(op item get "Stripe" --field "secret_key")
export JWT_SECRET=$(op item get "JWT Signing" --field password)

Run your application with these secrets loaded:

source ./load-secrets.sh && node src/index.js

This approach keeps secrets out of your shell history and process listings while maintaining a clean workflow.

CI/CD Pipeline Integration

Continuous integration environments require secure secret handling. Most CI platforms support injecting environment variables during builds. Here’s how to integrate 1Password with GitHub Actions:

name: Deploy Application

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Install 1Password CLI
        run: |
          curl -sSf https://app-updates.agilebits.com/product_history/CLI2 | \
          grep -E "op_.*\.pkg" | head -1 | \
          awk -F'{print $4}' | \
          xargs -I {} brew install {}

      - name: Sign in to 1Password
        run: echo "$OP_SERVICE_ACCOUNT_TOKEN" | op signin --stdin
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

      - name: Retrieve secrets
        run: |
          echo "DB_PASSWORD=$(op item get ProductionDB --field password)" >> $GITHUB_ENV
          echo "API_KEY=$(op item get APIKeys --field api_key)" >> $GITHUB_ENV

      - name: Run deployment
        run: ./deploy.sh

Using a service account token provides granular access control without exposing your master password in CI environments.

Kubernetes and Docker Secrets

Containerized applications benefit from proper secret management. You can inject 1Password secrets into Kubernetes using external secrets operators, or simply mount secrets at runtime:

#!/bin/bash
# generate-kubernetes-secrets.sh

kubectl create secret generic app-secrets \
  --from-literal=db-password=$(op item get Database --field password) \
  --from-literal=api-key=$(op item get APIKeys --field key)

For Docker Compose, reference environment files loaded through 1Password:

version: '3.8'
services:
  web:
    image: your-app:latest
    env_file:
      - .env.production
    # ...

Generate your .env.production file using a similar sourcing approach described earlier.

Working with Custom Fields

1Password items support custom fields beyond the standard username, password, and URL. This proves invaluable for storing multiple credentials or metadata:

# List all fields for an item
op item get "Server Credentials" --format json | jq '.fields[]'

# Access a specific custom field
op item get "Server Credentials" --field "ssh_private_key"

Custom fields enable organizing complex credential sets—such as multiple API keys for different environments—within a single vault item.

Security Best Practices

When automating secret retrieval, follow these essential practices:

Use service accounts instead of master passwords in automated environments. Service accounts provide limited access appropriate for CI/CD while avoiding credential exposure.

Set vault timeouts to automatically lock your vault after periods of inactivity. Configure this in your 1Password settings.

Audit access regularly using 1Password’s built-in audit logs. Monitor which secrets were accessed and from which locations.

Rotate credentials periodically even when using a password manager. Automated rotation scripts can help maintain security hygiene:

#!/bin/bash
# rotate-api-key.sh

NEW_KEY=$(openssl rand -base64 32)
op item edit "API Keys" "api_key=$NEW_KEY"
# Trigger your application's key update mechanism
curl -X POST https://yourapp.com/admin/rotate-key -d "key=$NEW_KEY"

Troubleshooting Common Issues

Authentication failures often stem from session expiration. The CLI caches credentials temporarily—re-authenticate when needed:

# Check current authentication status
op account get

# Sign out and back in if needed
op signout
op signin

Permission errors indicate the service account or account lacks access to specific vaults. Verify vault access through the 1Password admin console.

Conclusion

The CLI covers environment variable injection, CI/CD pipelines, container orchestration, and infrastructure automation. Start with the environment variable pattern, get a service account set up in CI, then layer in Kubernetes or rotation scripts as needed.

Related Reading

• Best Hardware Security Key for Developers: A Practical Guide
• Bitwarden Vault Export Backup Guide: Complete Technical.
• Telegram vs Signal: Which Is Actually Safer? A Technical.

Built by theluckystrike — More at zovo.one