Azure Function

[accraw]

Summary

Adds a portal-driven reference implementation for customers running 1Password automation on Azure. Covers item creation and share link generation from an HTTP-triggered Azure Function App, using the Python SDK rather than the op CLI to avoid the containerization barrier that blocks most customers on this stack.

Why

Customers automating credential workflows on Azure consistently hit the same wall: the op CLI requires a custom container image (Dockerfile + Azure Container Registry + image build pipeline), and most application/automation teams don't have container experience. The 1Password Connect Server is the documented alternative, but it can't generate share links — which is the most common ask alongside item creation.
This reference uses the Python SDK as a pip dependency, which Azure Functions installs via requirements.txt on the Flex Consumption plan. No container work, no Connect Server, full share-link support.

Files added

• README.md — full step-by-step deployment guide, written for customer hand-off. Covers 1Password setup (vault + service account), Azure infra (resource group, Key Vault, Function App, managed identity, Key Vault references), code, GitHub Actions deployment with the Flex Consumption remote-build: true requirement, smoke testing, webhook caller patterns, and a security hardening checklist.
• function_app.py — HTTP-triggered function. Validates request body, creates a Login item in the configured vault, generates a share link via client.items.shares.create, returns { itemId, vaultId, shareLink, expireAfter, oneTimeOnly }.
• requirements.txt — azure-functions and onepassword-sdk.
• host.json — standard Functions host config with Application Insights sampling.

Testing

• End-to-end deploy verified on Flex Consumption (Python 3.11) via the GitHub Actions path documented in Part D.
• items.create and items.shares.create confirmed working against a service account with Read/Write/Share on a dedicated vault.
• Three common failure modes documented in the troubleshooting section, each with the exact error string customers will see:
• - ModuleNotFoundError: No module named 'onepassword' — missing remote-build: true on Flex Consumption
• - data did not match any variant of untagged enum Invocation — raw dicts passed where the SDK expects typed Pydantic models (e.g., Website requires autofill_behavior)
• - Key Vault reference resolution failures from missing managed identity role assignment

Notes for reviewers

• SDK version pinning: requirements.txt currently lists onepassword-sdk unpinned. Class shapes (ItemCreateParams, Website, ItemShareParams, etc.) have shifted across 0.3.x → 0.4.x. Recommend pinning to a known-good version before pointing customers at this — happy to take a suggestion on which.
• Share API surface: the share flow uses client.items.shares.get_account_policy and validate_recipients based on the published example. If those method names have moved in the version we pin to, the share block needs to be aligned.
• Scope intentionally minimal: function key auth only, no rate limiting, no input sanitization beyond required-field checks, no caller allow-listing. The README's security checklist flags these as customer responsibilities; if we want any of them in-template, happy to add.
• PowerShell appendix: kept as a fallback sketch for shops that can't adopt Python. Not a full implementation — just enough to point a customer in the right direction if they push back on Python.
• Customer-neutral language: scrubbed of any specific customer references; intended to be shareable as-is.

Out of scope

• Email delivery of the share link (left to the caller — Jira Automation, Logic Apps, ACS, etc.)
• Bicep / ARM / Terraform templates for the Azure infra
• An equivalent AWS / GCP version

[scottisloud]

Successful test. Some comments in the documentation and I would love to bundle this into an ARM template or something to reduce some manual toil, but overall this works, does what it says on the box, and is a stupidly custom integration!

[ag-rdoucette]

Changes look good, tested and works great!

LGTM!

Requested changes made and committed!