Forum Discussion

ca-andrewpluszka's avatar
ca-andrewpluszka
New Member
6 hours ago

Automated bi-directional sync between 1Password and AWS Secrets Manager — is this actually possible?

Hey everyone,

SRE at a small startup here. We've been using 1Password for a while and overall love it, but we're running into a friction point with our AWS setup that I'm hoping someone has solved.

What we're trying to achieve:

We want a proper bidirectional sync between 1Password vaults and AWS Secrets Manager. Specifically:

  1. 1Password → AWS SM: When someone on the team updates a credential in 1Password, it should automatically propagate to AWS Secrets Manager so our workloads pick it up without anyone having to manually copy-paste things.
  2. AWS SM → 1Password: We use AWS Secrets Manager's native auto-rotation for some credentials (RDS passwords, API keys, etc.). When AWS rotates a secret automatically, we'd want that updated value to flow back into 1Password so our employees can always go to 1Password as the single source of truth and get the current credential.

On the new "Environments" feature (beta):

We noticed the new Environments feature and got excited — it looked like exactly what we needed. But after digging in, it seems pretty limited right now. From what we can tell:

  • There's no SDK support for managing environments programmatically
  • There's no CLI support either (`op` doesn't seem to have environment management commands yet)
  • Everything has to be done through the UI wizard

This makes it really hard to automate. We provision new environments dynamically as part of our infrastructure-as-code workflows (Terraform), so we need to be able to create and configure environments programmatically. Is this on the roadmap? Are there any workarounds people are using?

The SAML IdP requirement in Environments:

Related to the above — the Environments setup wizard seems to require a SAML Identity Provider to be configured for each environment. We use Azure Entra ID as our IdP (federated through AWS Cognito), and we have a single IdP setup that covers all our environments.

Is it actually required to have a separate SAML IdP per environment, or is there a way to reuse a single IdP across multiple environments? The wizard flow makes it seem like each environment needs its own IdP configuration, which would be a significant blocker for us — we can't dynamically spin up new IdP configurations every time someone creates a new environment in our platform.

If this is a hard requirement, it basically rules out Environments for our use case entirely, since we'd need to automate IdP provisioning as part of environment creation, which is a whole other can of worms.

Summary of questions:

  1. Has anyone built a reliable bidirectional 1Password ↔ AWS Secrets Manager sync? Especially the AWS SM → 1Password direction for auto-rotated secrets?
  2. Is there any programmatic/API access for Environments (SDK, CLI, REST API) that isn't documented yet, or is it genuinely UI-only right now?
  3. Is a separate SAML IdP per environment actually required, or can you reuse one IdP across environments?

Thanks!

beta environments
cli
feature request
integrations
sdk
secrets management
No RepliesBe the first to reply