Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
[GUIDE] 1Password Runtime Secret Injection for Azure Container Apps
This guide outlines a streamlined way to inject environment variables stored as secret reference URIs from 1Password into an Azure Container App (ACA) at runtime. It removes the need for init containers or writing secrets to disk. By using an ACA Command override, you can fetch a .env file saved as a Document type in 1Password, which contains the secret reference URIs, and load it straight into your container's environment.
Step 1: šStore Your Environment File in 1Password
Start by saving your environment file (e.g., .env.production), with variables encoded as secret reference URIs, as a Document type item in a 1Password vault accessible to your Service Account. This allows the 1Password CLI to read the file's contents directly.
Step 2:š³Update Your Dockerfile
The Docker image must have Bash and the 1Password CLI available for the ACA Command/Arguments override to work properly. You can add the 1Password CLI using a multi-stage Dockerfile to keep your final image lean.
Example
FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base
WORKDIR /app
# Set non-root user for security
USER app
FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build
WORKDIR /
# Copy configuration files
COPY ["*.json", "*.props", "*.config", "*.sln", "./"]
# Copy source code
COPY ./src /src
# Change to source directory
WORKDIR /src
# Restore packages directly for the Web API project (this pulls in all dependencies)
RUN dotnet restore "./Presentation/Web.Api/Web.Api.csproj"
RUN dotnet build "./Presentation/Web.Api/Web.Api.csproj" -c Release
RUN dotnet publish "./Presentation/Web.Api/Web.Api.csproj" -c Release -o /app/publish /p:UseAppHost=false
# This stage pulls 1Password CLI (from official image)
FROM 1password/op:latest AS opcli
# Final image (runtime)
FROM base AS final
WORKDIR /app
# Copy the published app
COPY --from=build /app/publish .
# Copy the 1Password CLI binary from the opcli stage
COPY --from=opcli /usr/local/bin/op /usr/local/bin/op
# Allow for replacement of the container run command.
# This will allow op run --env-file <(op read "op://[vault]/[item]/[env_filename]" ) -- dotnet Web.Api.dll
CMD ["dotnet", "Web.Api.dll" ]Key Points
- Using CMD in your Dockerfile is crucial, as Azure Container Apps only allow CMD override, not ENTRYPOINT.
- This example uses a .NET base image, but you can adapt it to any base image (Node, Python, etc.).
Step 3:āļøConfigure Your Azure Container App
Now, configure your Azure Container App to use the 1Password CLI to inject the secrets before your application starts.
- Service Account Token Secret: In your Container App's settings, navigate to Security/Secrets:
- Create a new secret named op-service-account-token
- ACA requirement: The key must consist of lower case alphanumeric characters and '-', and must start and end with an alphanumeric character.
- Paste your 1Password Service Account Token as the value.
- Create a new secret named op-service-account-token
- Service Account Token Environment Variable: In your Container App's settings, navigate to Application/Containers:
- Switch to the "Environment variables" tab and +Add a variable:
- Name: OP_SERVICE_ACCOUNT_TOKEN
- Source: "Reference a secret"
- Value: op-service-account-token secret created in the previous step.
- Switch to the "Environment variables" tab and +Add a variable:
- Container Override: In the same container settings, update the following to override the container runtime environment:
- Command override: /bin/bash
- Arguments override: -c, op run --env-file <(op read "op://[VAULT_NAME]/[ITEM_NAME]/[ENV_FILENAME]") -- [your_container_start_command]
Example
If your vault is named prod-env-Secrets-Vault, the 1Password item is MyWebApp, the file is .env.production, and your original container command was dotnet Web.dll, the ACA Arguments override would be:
-c, op run --env-file <(op read "op://prod-env-Secrets-Vault/MyWebApp/.env.production" ) -- dotnet Web.dll
This one-line command handles everything: op run --env-file parses secret reference URIs stored in the env-file provided by <(op read..), and -- then launches your application with those secrets injected into the shell environment.
See: Secret Reference URIs: https://developer.1password.com/docs/cli/secret-references/
Service Account: https://developer.1password.com/docs/service-accounts/use-with-1password-cli
2 Replies
If you donāt count the months of using 1Password CLI features in other projects and scouring the docs š, it took a couple hours of fighting with the complexities of testing an init container to try to load secrets, then trying to pass secrets to the running container without any temp disk writes via empty file mounts, etc,
I stepped back and thought āop run āenv-fileā is what I needed but, somehow, needed to inject a file containing the secret reference URIs. After remembering I could store and read file content using āop readā, it only took about an hour to figure out ACA canāt override ENTRYPOINT, change the Dockerfile, test in a terminal then get the ACA override working,
It was a great āahaā moment that was only possible thanks to the great 1Password CLI features and documentation.
- 1P_Phil
Moderator
Hi TerryTPAā ,
Thank you š!!! for sharing this fantastic guide with the community!
Great work! How long did it take to figure out the nuances of this setup?Thanks!
Phil & the Team!
