Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Forum Discussion
Loading 1Password credentials inside a Docker Container from an Environment.
I have a Docker container that runs a server application, and I’m using 1Password Environments to store all of the credentials for this service.
What I’d like to do is load all secrets from a specific 1Password Environment into the container’s runtime environment only when I start the server, not at build time and not as long‑lived plain env vars on the host. In other words, I want something like:
- Start command (or entrypoint) pulls secrets from a given 1Password Environment
- Those secrets are exposed as environment variables inside the container
- The server process then reads them as normal env vars
- Once the server stops, the secrets are no longer present
I’ve seen references to using op run to inject env vars for a command, and also to using 1Password Environments / Connect for runtime secret delivery, but I’m not sure what the recommended pattern is for a simple Docker container scenario.
1 Reply
What you’re trying to do is actually a pretty normal setup, and you’re on the right track with op run. The cleanest approach with 1Password is to inject secrets only at runtime instead of baking them into the image or exporting them on the host. So instead of storing anything long-term, you just wrap the container start command: op run -- docker run your-image That way, 1Password provides the secrets only while the process is running, and once the container stops, nothing is left behind in the environment. Another simple option is to make it part of your entry command in Docker so it always runs through op run, and your app just reads normal environment variables like it normally would. The main thing to avoid is putting secrets into the Dockerfile or static .env files, because that defeats the purpose of using 1Password in the first place. For a basic Docker setup, op run is usually the simplest and most practical solution without adding extra infrastructure.
