With the 1Password Secrets orb for CircleCI, you can load secrets from 1Password into CircleCI CI/CD pipelines and sync them automatically. Using this orb removes the risk of exposing plaintext secrets in code.
You can use the orb with 1Password Connect Server or a 1Password Service Account.
This orb is officially supported and maintained by 1Password, but community contributions are welcome.
Read more on the 1Password Developer Portal.
Before you get started, if you want to use Connect, you'll need to:
- Set up a Secrets Automation workflow.
- Deploy 1Password Connect in your infrastructure.
- On the CircleCI settings page, set the
OP_CONNECT_HOST
andOP_CONNECT_TOKEN
environment variables to your Connect instance's credentials so that it'll be used to load secrets.
If you want to use Service Accounts, you'll need to:
- Create a service account.
- On the CircleCI settings page, set the
OP_SERVICE_ACCOUNT_TOKEN
environment variable to your service account's credentials so that it'll be used to load secrets.
NOTE: If either OP_CONNECT_HOST
or OP_CONNECT_TOKEN
environment variables have been set alongside OP_SERVICE_ACCOUNT_TOKEN
, the Connect credentials will take precedence over the provided service account token. You must unset the Connect environment variables to ensure the action uses the service account token.
1Password CLI needs to be available to the pipeline for the orb to function. You can install the CLI as the first step of a CircleCI job using the 1password/install-cli
command. Once installed, you can use 1Password CLI commands in subsequent steps in the pipeline.
version: 2.1
orbs:
1password: onepassword/[email protected]
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli
- checkout
- run:
shell: op run -- /bin/bash
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deploy
If you want to use the orb with a 1Password Service Account, specify the 1Password CLI version (2.18.0
or later).
version: 2.1
orbs:
1password: onepassword/[email protected]
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli:
version: 2.18.0
- checkout
- run:
shell: op run -- /bin/bash
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deploy
Another example, with Docker
description: >
Install 1Password CLI within a job and make it useable for all the commands following the installation.
usage:
version: 2.1
orbs:
1password: onepassword/[email protected]
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli
- checkout
- run: |
docker login -u $(op read op://company/docker/username) -p $(op read op://company/docker/password)
docker build -t company/app:${CIRCLE_SHA1:0:7} .
docker push company/app:${CIRCLE_SHA1:0:7}
workflows:
deploy:
jobs:
- deploy
First, install 1Password CLI with 1password/install-cli
. Then use the 1password/exec
command to load secrets on demand and execute commands requiring secrets. Sensitive values that may be accidentally logged will be masked. After adding the 1password/exec
command as a step in your job, you can execute commands that require secrets.
version: 2.1
orbs:
1password: onepassword/[email protected]
jobs:
deploy:
machine:
image: ubuntu-2204:current
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
steps:
- checkout
- 1password/install-cli
- 1password/exec:
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deploy
You can use 1password/export
to resolve variables at the job level.
First, install 1Password CLI with 1password/install-cli
. Then use the 1password/export
command to load the secrets with references exported in the environment. The secrets will then be available to subsequent steps of the job.
Note: Unlike 1password/exec
, the export command does not mask the secret values from the logs.
version: 2.1
orbs:
1password: onepassword/[email protected]
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- checkout
- 1password/install-cli
- 1password/export:
var-name: AWS_ACCESS_KEY_ID
secret-reference: op://company/app/aws/access_key_id
- 1password/export:
var-name: AWS_SECRET_ACCESS_KEY
secret-reference: op://company/app/aws/secret_access_key
- run:
command: |
echo "This value will not be masked: $AWS_ACCESS_KEY_ID"
echo "This value will not be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deploy
To include a specific version of the orb, add the following in your config.yml
file (replace 1.0.0
with the desired version number):
orbs:
1password: onepassword/[email protected]
To include the latest version of 1Password Secrets orb in your project, add the following:
orbs:
1password: onepassword/secrets@volatile
When using either the 1password/exec
orb command or the op run
shell wrapper, all secrets are automatically masked from the CI log output. If secrets accidentally get logged, they will be replaced with <concealed by 1Password>
.
If you use the 1password/export
command, secrets aren't masked.
- 1Password Secrets orb CircleCI registry page . This official registry page contains information on all versions and commands.
- Learn more about using CircleCI orbs.
We welcome creating issues in and pull requests against the secrets-orb
repository!
1Password requests you practice responsible disclosure if you discover a vulnerability.
Please file requests by sending an email to [email protected].
If you find yourself stuck, visit our Support Page for help.