Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Creating blank entries for generic secrets
When I try to add a new entry to a 1password vault I always have to select from one of the templates (like Note, Login, Passport, etc). Often times I just want to have an empty entry into which I can add my own custom fields. As far as I can tell 1password doesn't have a "Blank Entry" option. Would it be possible to get one? I'm tired of staring at the list of templates thinking "well, none of these really".
opx - A 1Password companion CLI
Hello folks š opx is a little tool I built so I could just opx nodejs apps and have it load secrets from 1password CLI. 1P_Philā said I should share it with the community š. I haven't worked on it that much recently but it does work for my use case. Ideally the following would be things i'd want to see happen with this tool. 1password take it over officially and ship more than just nodejs support if not, community helps out to add new features or bug fixes Thanks for taking a look and hoping it interest or inspires people.[GUIDE] 1Password Runtime Secret Injection for Azure Container Apps
This guide outlines a streamlined way to inject environment variables stored as secret reference URIs from 1Password into an Azure Container App (ACA) at runtime. It removes the need for init containers or writing secrets to disk. By using an ACA Command override, you can fetch a .env file saved as a Document type in 1Password, which contains the secret reference URIs, and load it straight into your container's environment. Step 1: šStore Your Environment File in 1Password Start by saving your environment file (e.g., .env.production), with variables encoded as secret reference URIs, as a Document type item in a 1Password vault accessible to your Service Account. This allows the 1Password CLI to read the file's contents directly. Step 2:š³Update Your Dockerfile The Docker image must have Bash and the 1Password CLI available for the ACA Command/Arguments override to work properly. You can add the 1Password CLI using a multi-stage Dockerfile to keep your final image lean. Example FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base WORKDIR /app # Set non-root user for security USER app FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build WORKDIR / # Copy configuration files COPY ["*.json", "*.props", "*.config", "*.sln", "./"] # Copy source code COPY ./src /src # Change to source directory WORKDIR /src # Restore packages directly for the Web API project (this pulls in all dependencies) RUN dotnet restore "./Presentation/Web.Api/Web.Api.csproj" RUN dotnet build "./Presentation/Web.Api/Web.Api.csproj" -c Release RUN dotnet publish "./Presentation/Web.Api/Web.Api.csproj" -c Release -o /app/publish /p:UseAppHost=false # This stage pulls 1Password CLI (from official image) FROM 1password/op:latest AS opcli # Final image (runtime) FROM base AS final WORKDIR /app # Copy the published app COPY --from=build /app/publish . # Copy the 1Password CLI binary from the opcli stage COPY --from=opcli /usr/local/bin/op /usr/local/bin/op # Allow for replacement of the container run command. # This will allow op run --env-file <(op read "op://[vault]/[item]/[env_filename]" ) -- dotnet Web.Api.dll CMD ["dotnet", "Web.Api.dll" ] Key Points Using CMD in your Dockerfile is crucial, as Azure Container Apps only allow CMD override, not ENTRYPOINT. This example uses a .NET base image, but you can adapt it to any base image (Node, Python, etc.). Step 3:āļøConfigure Your Azure Container App Now, configure your Azure Container App to use the 1Password CLI to inject the secrets before your application starts. Service Account Token Secret: In your Container App's settings, navigate to Security/Secrets: Create a new secret named op-service-account-token ACA requirement: The key must consist of lower case alphanumeric characters and '-', and must start and end with an alphanumeric character. Paste your 1Password Service Account Token as the value. Service Account Token Environment Variable: In your Container App's settings, navigate to Application/Containers: Switch to the "Environment variables" tab and +Add a variable: Name: OP_SERVICE_ACCOUNT_TOKEN Source: "Reference a secret" Value: op-service-account-token secret created in the previous step. Container Override: In the same container settings, update the following to override the container runtime environment: Command override: /bin/bash Arguments override: -c, op run --env-file <(op read "op://[VAULT_NAME]/[ITEM_NAME]/[ENV_FILENAME]") -- [your_container_start_command] Example If your vault is named prod-env-Secrets-Vault, the 1Password item is MyWebApp, the file is .env.production, and your original container command was dotnet Web.dll, the ACA Arguments override would be: -c, op run --env-file <(op read "op://prod-env-Secrets-Vault/MyWebApp/.env.production" ) -- dotnet Web.dll This one-line command handles everything: op run --env-file parses secret reference URIs stored in the env-file provided by <(op read..), and -- then launches your application with those secrets injected into the shell environment. See: Secret Reference URIs: https://developer.1password.com/docs/cli/secret-references/ Service Account: https://developer.1password.com/docs/service-accounts/use-with-1password-cliOpenAI API Keys... Oh mai
Just a heads up, on Github, a crafty person created a query to find OpenAI API keys via search. I'm not going to link to it, but here are some resources if you fall into this camp! We have an entire blog post from 2023 about this topic https://blog.1password.com/openai-chatgpt-exposed-api-keys/ AI Agents + 1Password (Blog) https://developer.1password.com/docs/sdks/ai-agent CLI https://developer.1password.com/docs/cli/secret-references SDK (Python, Go & Typescript/JS) https://developer.1password.com/docs/sdks/load-secrets GitHub Actions with 1Password (hide API keys in CI/CD) https://developer.1password.com/docs/ci-cd/github-actions
1password pulumi provider
I see that 1password has made a pulumi provider at https://github.com/1Password/pulumi-onepassword Is this considered ready for public consumption yet? We have a couple of 1000 of auto-generated passwords that I would very much like to make available in 1password rather than out own shitty securityā¢. However considering the importance of the data I would rather ask before accidentally getting the entire company locked out of our own production environments :D 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Announcing op-python and ivorynomad.onepassword
I've created a python module intended to ease use of 1password CLI in CI/CD and IaC environments. https://pypi.org/project/op-python/ I've also created an ansible lookup plugin which leverages the op-python module to perform secrets retrieval for ansible playbooks. https://galaxy.ansible.com/ui/repo/published/ivorynomad/onepassword/ I use these in my home lab environment where they have been useful to me; I hope they might be useful for others.openv ā A simple CLI tool to wrap commands with 1Password secrets from .env
Hey folks, š I just released a new version of a small command-line tool Iāve been working on called openv. š” What it does: It automatically wraps selected dev commands (like npm dev, pnpm run, etc.) with op run, if your projectās .env file contains op:// secrets from 1Password. So instead of manually writing: run --env-file=.env -- npm run dev You can just type, as you would normally do: npm run dev And it will be wrapped automatically via a shell hook. š§ Why I built it: This started as a personal tool because I kept forgetting to wrap my dev commands with op run, and I wanted a smoother experience that "just works" based on .env contents. It hooks into ZSH (likely direnv), with support for allow/deny patterns (e.g., only wrap certain commands like pnpm start). š ļø Tech: Written in Rust Works in ZSH, Bash, and Fish Installable via Homebrew Fully local š§Ŗ Notes: This is an early release, mainly developed for my personal use. Iām sharing it here in case others find it useful. Feedback, issues, or even feature ideas are very welcome ā but no pressure! GitHub: https://github.com/andrea11/openv Thanks for reading ā and happy coding! š
Frustrations with .env File Handling and Environments in 1Password
To whom it may concern, I just tried to add some basic .env files to 1Password and was honestly surprised at how difficult and unsatisfying the experience was. Iāve always considered 1Password a premium, polished product, and Iāve really enjoyed using it so far. But in this case, the lack of functionality is pretty disappointing. I know you recently launched the Environments beta, which seems like a step in the right direction, but itās clearly not fully fleshed out. Most programming projects of mine include multiple environment files, not just one. Some values in these files are sensitive, and others arenāt, so we should be able to choose which fields are masked (as passwords) and which are shown normally. Importing and exporting environment files should also be seamless, currently, itās anything but. But the biggest issue with Environments right now is that they apparently donāt belong to vaults. That means I canāt share them with coworkers, which makes them basically useless for team projects. Whatās the point of having them at all if they canāt be shared? So I tried workarounds: First, I attempted to store the variables in a secure note. While you can manually add fields, thatās clunky and time-consuming. Then I tried uploading the .env file to the note, but on macOS, the file picker doesnāt show hidden files, and apparently thereās no way to make it do so. This made it impossible to upload the file with its original name, a really basic oversight, and one that shouldnāt exist in a premium product. Next, I tried using a Document item. At least the drag-and-drop upload worked (unlike Secure Notes), but now Iām locked into a document type that only allows a single file. Thatās just not workable when a project has multiple secret environment files. Even worse, if I want to replace the file, the drag-and-drop UI disappears entirely, so I canāt upload a hidden file again. Iād have to delete the entire document and start over. Thatās absurd. I genuinely respect the work youāve done on 1Password; itās one of the few tools Iāve used that felt reliable and trustworthy out of the box. But these gaps in functionality around something as basic as handling environment files are frustrating. And for a product at this price point, I expect this sort of workflow to just work. Itās hard to believe these limitations havenāt already been addressed. On top of that, it was surprisingly difficult to even find a proper way to give feedback like this. That feels like a mistake, if users canāt easily tell you where the product falls short, you miss the chance to improve it. Anyway, I needed to get this off my chest. I hope this feedback is helpful, and that weāll see improvements to these features soon. Best regards, JoĆ«l Grosjean.env accessed?: Lesson learned from a drained crypto wallet
A user on X recently lost their entire crypto wallet after installing a malicious extension in Cursor.ai. The extension accessed their .env file, extracted private keys, and sent them to an attackerās server. The wallet was drained within 27 minutes. Sadly a hard lesson to learn from. What steps would you recommend to secure their setup? Read - https://x.com/0xzak/status/1955265807807545763?s=46&t=WQd8UVBBGk_pyHB3pNwGsA
