1Password cli examples

 · 3 min · torgeir

Read 1Password secrets from the command line, load them into environment variables and config files.

Security 1password Terminal Op

I absolutely love how the 1Password cli enables me to keep all my secrets in the vault, and still have scripts access their content only when I ask for it. Somehow, however, I don’t find the op command super intuitive, so I always have to resort to the docs1 to look the same stuff up over and over.

So here’s a few examples of what I regularly use.

Retrieve an item

Retrieve an item2 from your vault by name

op item get "Openai api key"

These are all the attributes it contains

ID:          q2tt4yo___________________
Title:       Openai api key
Vault:       Personal (7ibw64s___________________)
Created:     8 hours ago
Updated:     8 hours ago by torgeir
Favorite:    false
Version:     2
Category:    LOGIN
  password:    sk-raS2____________________________

You can also choose to format them as JSON and use jq3 to extract the id

op item get "Openai api key" --format json | jq -r .id

The result


Retrieve field of an item

When you have looked up an item’s id2, you can use this to extract specific fields. I like to rely on the id of items rather than their name when looking them up, as they do not change if you edit the entry name.

op item get q2tt4yo___________________ \
    --fields label=password

The result


Run command with environment variables

Define a couple of environment variables in a file file.env


Now run a script, e.g. env, using op run4, passing it the file containing the environment variables

op run --env-file="file.env" -- env | rg SOME_APP

This runs the command env | rg SOME_APP in the given environment. This command simply extracts the available environment variables that contain SOME_APP, for purpose of the example. rg5 is a faster grep equivalent. This shows the environment variables and their concealed values from 1Password.

SOME_APP_USERNAME=<concealed by 1Password>
SOME_APP_PASSWORD=<concealed by 1Password>

What I love about this approach is that once op run has finished, the secret environment variables are no longer available! Type the following and observe that the output is empty.

env | rg SOME_APP

Inject secrets into configuration files

Create a config template file, e.g. config.yml.tpl, and refer some vault secrets by their reference

    username: op://Personal/service/username
    password: op://Personal/service/password

To load secrets into a configuration file6 config.yml, run the following command, supplying the config template file for the -i attribute, and its destination for the -o attribute

op inject -i config.yml.tpl -o config.yml

Take note that the resulting config.yml will contain your secrets and remain on disk once the op inject command has finished.

Remember to delete it when you are done.