Load secrets from 1Password into GitHub Actions
Load secrets from 1Password into GitHub Actions using load-secrets-action
with 1Password Connect or a 1Password Service Account.
You can use the Load secrets from 1Password GitHub Action with 1Password Connect Server or a 1Password Service Account. See the video below to for a brief introduction to using the GitHub Action with a service account.
Similar to regular GitHub repository secrets , 1Password automatically masks sensitive fields that appear in GitHub Actions logs. If one of these values accidentally gets printed, it's replaced with ***
.
Requirements
You can configure the action to use either a 1Password Service Account or a 1Password Connect instance.
- Service account
- Connect
Before using the Load secrets from 1Password GitHub Action with a service account, you must:
- Sign up for 1Password.
- Create a service account.
- Have the service account token on hand.
Before using the Load secrets from 1Password GitHub Action with a Connect server, you must:
- Sign up for 1Password.
- Create and deploy a Connect server in your infrastructure.
- Have the Connect server hostname and Connect server token on hand.
The Load secrets from 1Password GitHub Action only supports Mac and Linux runners . It doesn't work with Windows runners.
Get started
The steps to get started vary depending on whether you use a service account or a Connect server.
- Service account
- Connect
Add the Load secrets from 1Password GitHub Action to your workflow.
Add the service account token to your workflow.
Create a secret for your GitHub repository named OP_SERVICE_ACCOUNT_TOKEN and set it to the service account token value.
Visit Using secrets in GitHub Actions to learn how.
Configure your workflow.
Use the
1password/load-secrets-action/configure
action to specify the token of the service account you plan to get secrets from.The following example uses the
configure
command to set the service-account-token to the OP_SERVICE_ACCOUNT_TOKEN secret.config.yml
tipSetting the service-account-token in the
configure
step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.To use the service account token in a specific step, set it in the
env
variables for that step.config.yml
Load a secret.
Use the
1password/load-secrets-action
action to use a 1Password secret as an environment variable using the secrets reference syntax.The following example sets SECRET to an example value stored in the
app-cicd
vault within thehello-world
1Password item (referencing a field calledsecret
).config.yml
Add the Load secrets from 1Password GitHub Action (
load-secrets-action
) to your workflow.Add the Connect server token to your workflow.
Create a secret named OP_CONNECT_TOKEN in your repository and set it to the Connect server token value.
Visit Using secrets in GitHub Actions to learn how.
Configure your workflow.
Use the
1password/load-secrets-action/configure
action to specify the Connect server environment variable.The following example uses the configure command to:
- Set the connect-host to the Connect server hostname (OP_CONNECT_HOST).
- Set the connect-token to the OP_CONNECT_TOKEN secret.
config.yml
tipSetting the connect-token in the configure step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.
To use the service account token in a specific step, set it in the
env
variables for that step.config.yml
Load a secret.
Use the
1password/load-secrets-action
action to use a 1Password secret as an environment variable using the secrets reference syntax.The following example sets SECRET to an example value stored in the
app-cicd
vault within thehello-world
1Password item (referencing a field calledsecret
).config.yml
Reference
The following sections document the action inputs and secret reference syntax for the Load secrets from 1Password GitHub Action .
Action inputs
The following table contains the available configure
action inputs.
Action input | Environment variable | Description |
---|---|---|
connect-host | OP_CONNECT_HOST | The Connect server, hostname, IP address, or instance URL. |
connect-token | OP_CONNECT_TOKEN | The Connect server token. |
service-account-token | OP_SERVICE_ACCOUNT_TOKEN | The service account token. |
Secrets reference syntax
You can make secrets available to GitHub CI/CD by including references to them in the GitHub Action configuration using secret reference syntax. Secret reference syntax is a 1Password URI that points to a specific 1Password secret by providing the vault name, item name, section name, and field name.
Visit the secret reference syntax documentation to access examples and learn more about referencing secrets.
Example
The following example shows how to reference the secret-access-key
field of the aws
item in the app-cicd
vault.
config.yml
- Vault: app-cicd
- Item: aws
- Field: secret-access-key
Usage examples
You can load secrets using the action in two ways:
Use secrets from the action's output
You can use the Load secrets from 1Password GitHub Action to access secrets as environment variables.
- Service account
- Connect
The following examples show how to load a secret from a service account and print the output when a push
event occurs.
You need to set an ID for the step to access its outputs. See outputs.<output_id>
.
- Simple example
- Advanced example
The following example shows how to use a service account to load (and print) a secret (as the SECRET env variable) from 1Password. When you print a secret, 1Password automatically replaces it with ***
.
config.yml
The following example shows how to use a service account to load the username
and token
fields from the docker
secret in 1Password (as DOCKERHUB_USERNAME and DOCKERHUB_TOKEN), then use them to log into Docker Hub.
config.yml
The following examples show how to load a secret from a Connect server and print the output when a push
event occurs.
- Simple example
- Advanced example
The following example shows how to use a Connect server to load (and print) a secret (as the SECRET env variable) from 1Password. When you print a secret, 1Password automatically replaces it with ***
.
config.yml
The following example shows how to use a Connect server to load the username
and token
fields from the docker
secret in 1Password (as DOCKERHUB_USERNAME and DOCKERHUB_TOKEN), then use them to log into Docker Hub.
config.yml
Export secrets as environment variables
You can use the Load secrets from 1Password GitHub Action to use loaded secret outputted from the steps.step-id.outputs.secret-name
.
- Service account
- Connect
The following examples show how to use a service account to load a 1Password secret as an environment variable.
- Simple example
- Advanced example
The following example shows how to use a service account to load a secret as an environment variable named SECRET. When you print a secret, 1Password automatically replaces it with ***
.
config.yml
The following example shows how to use a service account to load the username
and token
fields from the docker
secret in 1Password as environment variables named DOCKERHUB_USERNAME and DOCKERHUB_TOKEN, then uses them to log into Docker Hub.
It also loads the access-key-id
and secret-access-key
fields from the aws
secret in 1Password as environment variables named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, then uses them to deploy to AWS.
config.yml
The folowing examples show how to use a Connect server to load a secret from 1Password as an environment variable.
- Simple example
- Advanced example
The following example shows how to use a Connect server to load a secret as an environment variable named SECRET. When you print a secret, 1Password automatically replaces it with ***
.
config.yml
The following example shows how to use a Connect server to load the username
and token
fields from the docker
secret in 1Password as environment variables named DOCKERHUB_USERNAME and DOCKERHUB_TOKEN, then uses them to log into Docker Hub.
It also loads the access-key-id
and secret-access-key
fields from the aws
secret in 1Password as environment variables named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, then uses them to deploy to AWS.
config.yml
Troubleshooting
If you try to create items using 1Password CLI in your GitHub pipelines (without using load-secrets-action
), the command fails with the following error:
For example, the following results in an error:
The pipeline environment is in piped mode. This triggers the CLI's pipe detection, which expects a piped input.
To create items in this environment, use a JSON template with your item details.
Get the template for the category of item you want to create:
Edit the template to add your information.
Pipe the item content to the command: