1Password CLI Bug Report: Service Account Cannot Read Environments
Summary
op environment read and op run --environment return "Environment was not found" when authenticated with a Service Account that has Read access to the Environment. Desktop app authentication works correctly with the same Environment ID.
Environment
- op CLI version: 2.33.0-beta.02
- OS: macOS 15.3 (arm64)
- 1Password Desktop App: 8.12.2
- Account type: Individual (my.1password.com)
Steps to Reproduce
- Create a 1Password Environment "AI Agent" with variables (e.g., BRAVE_API_KEY)
- Create a Service Account "Ghossty" with:
- Vaults: Dev (Read)
- Environments: AI Agent (Read)
- Export the Service Account token:
export OP_SERVICE_ACCOUNT_TOKEN="<token>"
- Run:
/usr/local/bin/op environment read <environment-id>
Expected Result
BRAVE_API_KEY=<value>
GITHUB_PAT=<value>
Actual Result
[ERROR] 2026/02/18 18:41:55 bad input passed by the user: Environment was not found
Workaround Confirmation
Desktop app authentication works correctly with the same Environment ID:
OP_SERVICE_ACCOUNT_TOKEN= /usr/local/bin/op environment read <environment-id> # Output: # GITHUB_PAT=[REDACTED:github-fine-grained-pat] # BRAVE_API_KEY=[REDACTED:api-key]
Additional Context
- op whoami confirms the Service Account is authenticated:
URL: https://my.1password.com
User Type: SERVICE_ACCOUNT
- The Service Account was created on 2026-02-18 (after Environments beta was available)
- The SA has confirmed Read access to the Environment in the 1Password app UI
- op run --environment <id> -- printenv also fails with the same error
- Vault access works fine with the same SA (op item list --vault Dev succeeds)
Impact
Cannot use the official headless/automated approach for loading Environment variables in shell startup scripts. Forced to use desktop app authentication which requires biometric confirmation on every invocation.
