Forum Discussion

CaoCuong2404's avatar
CaoCuong2404
New Contributor
17 days ago

1Password CLI Bug Report: Service Account Cannot Read Environments

Summary

op environment read and op run --environment return "Environment was not found" when authenticated with a Service Account that has Read access to the Environment. Desktop app authentication works correctly with the same Environment ID.

Environment

  • op CLI version: 2.33.0-beta.02
  • OS: macOS 15.3 (arm64)
  • 1Password Desktop App: 8.12.2
  • Account type: Individual (my.1password.com)

Steps to Reproduce

  1. Create a 1Password Environment "AI Agent" with variables (e.g., BRAVE_API_KEY)
  2. Create a Service Account "Ghossty" with:
  • Vaults: Dev (Read)
  • Environments: AI Agent (Read)
  1. Export the Service Account token:

export OP_SERVICE_ACCOUNT_TOKEN="<token>"

  1. Run:

/usr/local/bin/op environment read <environment-id>

Expected Result

BRAVE_API_KEY=<value>
GITHUB_PAT=<value>

Actual Result

[ERROR] 2026/02/18 18:41:55 bad input passed by the user: Environment was not found

Workaround Confirmation

Desktop app authentication works correctly with the same Environment ID:

OP_SERVICE_ACCOUNT_TOKEN= /usr/local/bin/op environment read <environment-id> # Output: # GITHUB_PAT=[REDACTED:github-fine-grained-pat] # BRAVE_API_KEY=[REDACTED:api-key]

Additional Context

  • op whoami confirms the Service Account is authenticated:

URL: https://my.1password.com
User Type: SERVICE_ACCOUNT

  • The Service Account was created on 2026-02-18 (after Environments beta was available)
  • The SA has confirmed Read access to the Environment in the 1Password app UI
  • op run --environment <id> -- printenv also fails with the same error
  • Vault access works fine with the same SA (op item list --vault Dev succeeds)

Impact

Cannot use the official headless/automated approach for loading Environment variables in shell startup scripts. Forced to use desktop app authentication which requires biometric confirmation on every invocation.

1password.com
beta environments
cli

3 Replies

  • erikrothoff's avatar
    erikrothoff
    New Member
    1 hour ago

    Ooo! I fixed it! The service account did not have permissions to access the environment. I had to create a new one and while creating it adding the correct environments as read-access.

    Key insight from LLM:

    Environments ARE vaults under the hood. The SDK's EnvironmentsGetVariables implementation first calls GET /api/v3/vault/{environment_id}?attrs=combined-access to access the environment's backing vault. The environment ID you pass (XXXXXXXXXXX) IS the vault ID of that environment.

    The 403 is a permissions issue. Your service account only has access to one vault:

    { "id": "XXXXXXXXXXXXXx", "name": "Infrastructure", "items": 1 }

    The environment vault XXXXXXXX is not in that list. The service account hasn't been granted access to it.

  • erikrothoff's avatar
    erikrothoff
    New Member
    1 hour ago

    More info after some reverse engineering of the binary:

    Here's the complete API call sequence for op environment read with a service account:

    1. POST /api/v3/auth/start (200 OK) -- initiates SRP auth
      {"email":"YYYYYYYYYYYYYYY@1passwordserviceaccounts.com","skFormat":"A3","skid":"ZZZZZZZZZZ","deviceUuid":"BBBBBBBBBBBBBBBBBBBBBBBB","userUuid":""}
    2. POST /api/v1/auth (200 OK) -- completes SRP handshake (sends userA, sessionID)
    3. POST /api/v2/auth/verify (200 OK) -- verifies auth, gets session token
    4. GET /api/v2/account/keysets (200 OK) -- fetches account keysets (x2)
    5. GET /api/v2/overview (200 OK) -- fetches account overview
    6. GET /api/v3/vault/XXXXXXXXXXXXXXXXXXX?attrs=combined-access -- 403 Forbidden!

    There's the problem. The CLI treats the environment ID (XXXXXXXXXXXXXXXXXXX) as a vault ID and tries to fetch it via /api/v3/vault/{id}. The server returns 403 because:

    - The service account doesn't have access to that "vault" (it's not actually a vault -- it's an environment), or
    - The Environments feature uses a different API path that the CLI isn't calling when authenticated as a service account
    - The response body (gzip-decoded \xaa\xae\xe5 = {} with a newline) is essentially an empty error body, and the CLI maps it to the generic "An unexpected error occurred while processing the request."

    Bottom line: op environment read with a service account authenticates fine but then tries to access the environment as if it were a vault via /api/v3/vault/{environmentId}?attrs=combined-access, and gets a 403. This strongly suggests that Environments aren't supported for service accounts at the API level -- the service account lacks the permissions/role to access the environment vault, or the environment is stored in a way that isn't exposed to service accounts.

  • erikrothoff's avatar
    erikrothoff
    New Member
    1 hour ago

    Any debug command flags we can add to help debug this? Also getting the same error with the same setup.