With the 1Password Secrets orb for CircleCI, you can load secrets from 1Password into CircleCI CI/CD pipelines and sync them automatically. Using this orb removes the risk of exposing plaintext secrets in code.
You can use the orb with 1Password Connect Server or a 1Password Service Account.
This orb is officially supported and maintained by 1Password, but community contributions are welcome.
Read more on the 1Password Developer Portal.
Before you get started, if you want to use Connect, you'll need to:
- Set up a Secrets Automation workflow.
- Deploy 1Password Connect in your infrastructure.
- On the CircleCI settings page, set the
OP_CONNECT_HOSTandOP_CONNECT_TOKENenvironment variables to your Connect instance's credentials so that it'll be used to load secrets.
If you want to use Service Accounts, you'll need to:
- Create a service account.
- On the CircleCI settings page, set the
OP_SERVICE_ACCOUNT_TOKENenvironment variable to your service account's credentials so that it'll be used to load secrets.
NOTE: If either OP_CONNECT_HOST or OP_CONNECT_TOKEN environment variables have been set alongside OP_SERVICE_ACCOUNT_TOKEN, the Connect credentials will take precedence over the provided service account token. You must unset the Connect environment variables to ensure the action uses the service account token.
1Password CLI needs to be available to the pipeline for the orb to function. You can install the CLI as the first step of a CircleCI job using the 1password/install-cli command. Once installed, you can use 1Password CLI commands in subsequent steps in the pipeline.
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli
- checkout
- run:
shell: op run -- /bin/bash
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deployIf you want to use the orb with a 1Password Service Account, specify the 1Password CLI version (2.18.0 or later).
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli:
version: 2.18.0
- checkout
- run:
shell: op run -- /bin/bash
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deployAnother example, with Docker
description: >
Install 1Password CLI within a job and make it useable for all the commands following the installation.
usage:
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli
- checkout
- run: |
docker login -u $(op read op://company/docker/username) -p $(op read op://company/docker/password)
docker build -t company/app:${CIRCLE_SHA1:0:7} .
docker push company/app:${CIRCLE_SHA1:0:7}
workflows:
deploy:
jobs:
- deployFirst, install 1Password CLI with 1password/install-cli. Then use the 1password/exec command to load secrets on demand and execute commands requiring secrets. Sensitive values that may be accidentally logged will be masked. After adding the 1password/exec command as a step in your job, you can execute commands that require secrets.
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
steps:
- checkout
- 1password/install-cli
- 1password/exec:
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deployYou can use 1password/export to resolve variables at the job level.
First, install 1Password CLI with 1password/install-cli. Then use the 1password/export command to load the secrets with references exported in the environment. The secrets will then be available to subsequent steps of the job.
Note: Unlike 1password/exec, the export command does not mask the secret values from the logs.
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- checkout
- 1password/install-cli
- 1password/export:
var-name: AWS_ACCESS_KEY_ID
secret-reference: op://company/app/aws/access_key_id
- 1password/export:
var-name: AWS_SECRET_ACCESS_KEY
secret-reference: op://company/app/aws/secret_access_key
- run:
command: |
echo "This value will not be masked: $AWS_ACCESS_KEY_ID"
echo "This value will not be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deployTo include a specific version of the orb, add the following in your config.yml file (replace 1.0.0 with the desired version number):
orbs:
1password: onepassword/secrets@1.0.0To include the latest version of 1Password Secrets orb in your project, add the following:
orbs:
1password: onepassword/secrets@volatileWhen using either the 1password/exec orb command or the op run shell wrapper, all secrets are automatically masked from the CI log output. If secrets accidentally get logged, they will be replaced with <concealed by 1Password>.
If you use the 1password/export command, secrets aren't masked.
- 1Password Secrets orb CircleCI registry page . This official registry page contains information on all versions and commands.
- Learn more about using CircleCI orbs.
We welcome creating issues in and pull requests against the secrets-orb repository!
1Password requests you practice responsible disclosure if you discover a vulnerability.
Please file requests through BugCrowd.
For information about our security practices, visit the 1Password Security homepage.
If you find yourself stuck, visit our Support Page for help.