Protect what matters – even after you're gone. Make a plan for your digital legacy today.
1Password Connect Doesn't Appear to Sync Permissions
After submitting 1Password Connect Token Permissions Don't Appear to be Granular | 1Password Community , I update the permissions for the Access token for my dev environment. I then waited, and restarted the onepassword-connect deployment in my Kubernetes instance, which synced (verified in the 1PW UI under "Sync activity"). I did this twice. Despite the token having read/write access to the vault now, and being synced multiple times, when I apply terraform in that environment, and the onepassword terraform provider attempts to create a new entry, I see: Error creating 1Password item, got error failed to create item using connect: status 403: Authorization: token does not have permission to perform create on vault [redacted] Is there an additional action required to allow these permissions to sync?1Password Connect Token Permissions Don't Appear to be Granular
I have a 1PW token that Terraform uses. Up until now, I only wanted Terraform to be able to read from this vault. But now I have a use case for using some items in Terraform to create a 1PW entry. However, I don't seem to be able to assign only the "create" and "edit" permissions without also granting the archive & delete permissions, which I don't want Terraform to be capable of (accidentally) doing. Reproduction Steps Open 1PW connect entry Go to access token with read only permission Attempt to grant that access token additional "create" and "edit" permissions. Expected Behavior Check off the Create and Edit items, and have those permissions take effect. Actual Behavior Checking create or edit also appears to check off "Archive" and "Delete" Screen capture below demonstrating the behavior
Feature Request: GeneratorRecipe for Memorable Passwords
Currently in the API options for 1P Connect there is an ability to specify a "GeneratorRecipe" when creating a password for a record: https://developer.1password.com/docs/connect/api-reference/#item-generatorrecipe-object This is great for super-high-entropy random passwords but in some instances we would like to have the ability to specify that the generator create a "Memorable Password", as can be done in the 1P apps: Ideally this would then allow for specifying criteria similar to: "generate": true, "memorableRecipe": { "memorableRequirements": [ "HYPHENS", "CAPITALIZE", "FULLWORDS" ], "words": 4 } While this isn't needed all the time as the default 'generate' option is suitable in most scenarios, this would provide some extra flexibility. PS - In the same vein, it would nice to have this capability for the CLI's '--generate-password' option as well!! https://developer.1password.com/docs/cli/item-create/#create-an-itemWhat is an Agent Chassis?
Jeff Malnick’s post is confident. It’s also detached from how developers actually ship code today and made me furious.“Agent chassis” boils down to: the script that runs your agent. Fine. But the security layer argument collapses when the tooling underneath is fragmented.Right now you pick between CLI, shell plugins, service accounts, connectors, environments — each with different auth models, rate limits, edge cases, and silent failures. None cleanly support a headless agent workflow. I’ve built workarounds for my workarounds.Agentic coding made this obvious. Agents need real credentials at runtime. Not desktop popups. Not biometric prompts in a terminal.The community built unofficial MCP servers. Anthropic shipped 50+ connectors. 1Password isn’t there.The spec is public. It’s buildable. So—who’s shipping it?
Automated bi-directional sync between 1Password and AWS Secrets Manager — is this actually possible?
Hey everyone, SRE at a small startup here. We've been using 1Password for a while and overall love it, but we're running into a friction point with our AWS setup that I'm hoping someone has solved. What we're trying to achieve: We want a proper bidirectional sync between 1Password vaults and AWS Secrets Manager. Specifically: 1Password → AWS SM: When someone on the team updates a credential in 1Password, it should automatically propagate to AWS Secrets Manager so our workloads pick it up without anyone having to manually copy-paste things. AWS SM → 1Password: We use AWS Secrets Manager's native auto-rotation for some credentials (RDS passwords, API keys, etc.). When AWS rotates a secret automatically, we'd want that updated value to flow back into 1Password so our employees can always go to 1Password as the single source of truth and get the current credential. On the new "Environments" feature (beta): We noticed the new Environments feature and got excited — it looked like exactly what we needed. But after digging in, it seems pretty limited right now. From what we can tell: There's no SDK support for managing environments programmatically There's no CLI support either (`op` doesn't seem to have environment management commands yet) Everything has to be done through the UI wizard This makes it really hard to automate. We provision new environments dynamically as part of our infrastructure-as-code workflows (Terraform), so we need to be able to create and configure environments programmatically. Is this on the roadmap? Are there any workarounds people are using? The SAML IdP requirement in Environments: Related to the above — the Environments setup wizard seems to require a SAML Identity Provider to be configured for each environment. We use Azure Entra ID as our IdP (federated through AWS Cognito), and we have a single IdP setup that covers all our environments. Is it actually required to have a separate SAML IdP per environment, or is there a way to reuse a single IdP across multiple environments? The wizard flow makes it seem like each environment needs its own IdP configuration, which would be a significant blocker for us — we can't dynamically spin up new IdP configurations every time someone creates a new environment in our platform. If this is a hard requirement, it basically rules out Environments for our use case entirely, since we'd need to automate IdP provisioning as part of environment creation, which is a whole other can of worms. Summary of questions: Has anyone built a reliable bidirectional 1Password ↔ AWS Secrets Manager sync? Especially the AWS SM → 1Password direction for auto-rotated secrets? Is there any programmatic/API access for Environments (SDK, CLI, REST API) that isn't documented yet, or is it genuinely UI-only right now? Is a separate SAML IdP per environment actually required, or can you reuse one IdP across environments? Thanks!Introducing: Desktop auth for SDKs & 1Password Environments access for CLI, SDK & Service accounts
Today, we're introducing two new features to help developers get secrets to the right place at the right time, without sprinkling them across files, repos, and build logs. Programmatically read 1Password Environments (read‑only, now in beta) If you store project environment variables in 1Password Environments, you can now read them at runtime via the 1Password CLI and SDKs. That means tools can pull secrets when they’re needed, instead of maintaining .env files or managing long‑lived secret syncs. A few places this shines: CI/CD workflows: Retrieve and inject .env variables during builds using a service account. Containers/Kubernetes: Apps read connection strings at startup. Local + AI-assisted tooling: Scripts/Make targets fetch tokens on demand while keeping secrets out of the model context. Video not displaying? Watch it here. Desktop authentication for 1Password SDKs Fresh out of beta, SDK integrations can now authenticate through the 1Password desktop app with a biometric/password prompt. Sessions inherit the signed‑in user’s access and time out after 10 minutes of inactivity (or when 1Password locks). This unlocks higher‑impact workflows, including full vault management (create/read/update/delete/list), managing vault permissions, and batch item operations for teams operating at scale. Video not displaying? Watch it here. Check out the details For the full details, read the launch post. Questions, edge cases, or wish‑list items? Drop them below – we’re listening.
Feature Request: Connect/Operator DO_NOT_WATCH_NAMESPACE
Greetings Everyone! I would like to request a feature on the Connect/Operator Kubernetes Service. I try to be brief and will shortly describe the definition of this feature and the reasoning behind it. Definition: DO_NOT_WATCH_NAMESPACE will hold a list of namespaces which should NOT be processed for onepassworditems. Simply put and inverted WATCH_NAMESPACE function. Reasoning: I'm working on a Kubernetes environment for developers and wanted to integrate cert-manger with it. Since the cert issuer configuration needs a secret for credentials of the issuer I planed to put these information into a separated OnePassword-Vault to which developers don't have access. I further created a new Token with access to this specific vault and installed a dedicated operator to watch only the cert-manager namespace. With a setup like this I'm able to use the same cluster wide connector with different vault access credentials per namespace. This setup works but the "default" operator will also try to create the secret of the cert-manager onepassworditem which fails because its token can't access the developer-vault. I could redeploy the "default" operator and configure the WATCH_NAMESPACE list but imagine having hundreds of namespace and need to maintain this list in the operator configuration. Therefore I like to see an "exclude these namespaces" feature for the operator which I would only need for special solutions like the one I described. Thank you Stefan Eichberger p.s.: If there is already a proper solution for this kind of setup please tell me , I couldn't find it.
SSH Agent does not respect ssh-keys order
Hey! After latest Production 1Password update (1Password for Mac 8.12.0 (81200013)) something is off with SSH Agent. SSH agent does not respect ssh-keys order set in TOML file anymore. It doesn't matter if you set any keys in TOML file or you leave this file empty, command ssh-agent -l prints ssh-keys in random order. Example, my TOML file: [[ssh-keys]] item = "SSH Private Key" vault = "Personal" [[ssh-keys]] item = "Magento Cloud GDPR" vault = "Employee" [[ssh-keys]] item = "AWS EKS Node" vault = "Employee" [[ssh-keys]] item = "AWS Key" vault = "DevOps" And two results of ssh-add -l command: SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l 4096 SHA256:N4XGsjxtiMBWRpHvwh16fTciJL1aaTc0wuGXMlePQuY Magento Cloud GDPR (RSA) 4096 SHA256:2LqQtMd7YdPMGXg4W+zODedaHi1oz4CxC0k/hl0V+PQ AWS EKS Node (RSA) 2048 SHA256:4uE+nbs+twoNih01hiveiXFjy3bIh+NPkVyBNyqRyYg AWS Key (RSA) 256 SHA256:QKMLArxXXvAcYzmSCqV766DsOAyxnkuA28TwneIsvTI SSH Private Key (ED25519) SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l 256 SHA256:QKMLArxXXvAcYzmSCqV766DsOAyxnkuA28TwneIsvTI SSH Private Key (ED25519) 4096 SHA256:N4XGsjxtiMBWRpHvwh16fTciJL1aaTc0wuGXMlePQuY Magento Cloud GDPR (RSA) 4096 SHA256:2LqQtMd7YdPMGXg4W+zODedaHi1oz4CxC0k/hl0V+PQ AWS EKS Node (RSA) 2048 SHA256:4uE+nbs+twoNih01hiveiXFjy3bIh+NPkVyBNyqRyYg AWS Key (RSA)1Password Secrets sync for Home Assistant
Hi, I'd like to share a project I've been working on. The 1Password Secrets sync app seamlessly integrates 1Password with Home Assistant, enabling automatic synchronization of your secrets from 1Password vaults directly into your Home Assistant `secrets.yaml` file. Say goodbye to manually managing sensitive credentials and embrace secure, automated secret management! https://github.com/Borales/hassio-addons/tree/main/hassio-1password-addon ✨ Key Features: Automatic Secret Synchronization: Sync secrets from your 1Password vaults to Home Assistant's secrets.yaml on a configurable schedule Service Account Integration: Uses 1Password service accounts for secure, automated access Web-Based Management UI: Modern, intuitive interface Rate Limit Monitoring: Track your 1Password API usage to stay within daily limits Group Management: Organize secrets into groups for better organization and event notifications Real-Time Event System: Receives Home Assistant events when secrets are synced or updated Multi-Vault Support: Access secrets from multiple 1Password vaults Selective Sync: Choose which secrets to sync and skip unnecessary ones Configuration Scanning: Automatically detects !secret references in your Home Assistant configuration Multi-Language Supportssh-agent and PCKS#11 keys
I tried this with 1Password's ssh agent. As you can see it failed. If using a regular old ssh agent it will succeed. Is there some other way to get this key into 1Password's ssh agent? $ ssh-add -s /usr/local/lib/opensc-pkcs11.so Enter passphrase for PKCS#11: Could not add card "/usr/local/lib/opensc-pkcs11.so": agent refused operation
