Load secrets from 1Password into GitHub Actions

Load secrets from 1Password into GitHub Actions using load-secrets-action with 1Password Connect or a 1Password Service Account.

You can use the Load secrets from 1Password GitHub Action with 1Password Connect Server or a 1Password Service Account. See the video below to for a brief introduction to using the GitHub Action with a service account.

info

Similar to regular GitHub repository secrets , 1Password automatically masks sensitive fields that appear in GitHub Actions logs. If one of these values accidentally gets printed, it's replaced with ***.

Requirements

You can configure the action to use either a 1Password Service Account or a 1Password Connect instance.

Service account

Before using the Load secrets from 1Password GitHub Action with a service account, you must:

• Sign up for 1Password.
• Create a service account.
• Have the service account token on hand.

Connect

Before using the Load secrets from 1Password GitHub Action with a Connect server, you must:

• Sign up for 1Password.
• Create and deploy a Connect server in your infrastructure.
• Have the Connect server hostname and Connect server token on hand.

caution

The Load secrets from 1Password GitHub Action only supports Mac and Linux runners . It doesn't work with Windows runners.

Get started

The steps to get started vary depending on whether you use a service account or a Connect server.

Service account

1. Add the Load secrets from 1Password GitHub Action to your workflow.

   See Adding an action to your workflow .

2. Add the service account token to your workflow.

   Create a secret for your GitHub repository named OP_SERVICE_ACCOUNT_TOKEN and set it to the service account token value.

   Visit Using secrets in GitHub Actions to learn how.

3. Configure your workflow.

   Use the 1password/load-secrets-action/configure action to specify the token of the service account you plan to get secrets from.

   The following example uses the configure command to set the service-account-token to the OP_SERVICE_ACCOUNT_TOKEN secret.

   config.yml
   tip

   Setting the service-account-token in the configure step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.

   To use the service account token in a specific step, set it in the env variables for that step.

   config.yml

4. Load a secret.

   Use the 1password/load-secrets-action action to use a 1Password secret as an environment variable using the secrets reference syntax.

   The following example sets SECRET to an example value stored in the app-cicd vault within the hello-world 1Password item (referencing a field called secret).

   config.yml

Connect

1. Add the Load secrets from 1Password GitHub Action (load-secrets-action) to your workflow.

   See Adding an action to your workflow .

2. Add the Connect server token to your workflow.

   Create a secret named OP_CONNECT_TOKEN in your repository and set it to the Connect server token value.

   Visit Using secrets in GitHub Actions to learn how.

3. Configure your workflow.

   Use the 1password/load-secrets-action/configure action to specify the Connect server environment variable.

   The following example uses the configure command to:

   • Set the connect-host to the Connect server hostname (OP_CONNECT_HOST).
   • Set the connect-token to the OP_CONNECT_TOKEN secret.
     
     

   config.yml
   tip

   Setting the connect-token in the configure step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.

   To use the service account token in a specific step, set it in the env variables for that step.

   config.yml

4. Load a secret.

   Use the 1password/load-secrets-action action to use a 1Password secret as an environment variable using the secrets reference syntax.

   The following example sets SECRET to an example value stored in the app-cicd vault within the hello-world 1Password item (referencing a field called secret).

   config.yml

Reference

The following sections document the action inputs and secret reference syntax for the Load secrets from 1Password GitHub Action .

Action inputs

The following table contains the available configure action inputs.

Action input	Environment variable	Description
connect-host	OP_CONNECT_HOST	The Connect server, hostname, IP address, or instance URL.
connect-token	OP_CONNECT_TOKEN	The Connect server token.
service-account-token	OP_SERVICE_ACCOUNT_TOKEN	The service account token.

Secrets reference syntax

You can make secrets available to GitHub CI/CD by including references to them in the GitHub Action configuration using secret reference syntax. Secret reference syntax is a 1Password URI that points to a specific 1Password secret by providing the vault name, item name, section name, and field name.

Visit the secret reference syntax documentation to access examples and learn more about referencing secrets.

Example

The following example shows how to reference the secret-access-key field of the aws item in the app-cicd vault.

config.yml

• Vault: app-cicd
• Item: aws
• Field: secret-access-key

Usage examples

You can load secrets using the action in two ways:

1. Use secrets from the action's output
2. Export secrets as environment variables

Use secrets from the action's output

You can use the Load secrets from 1Password GitHub Action to access secrets as environment variables.

Service account

The following examples show how to load a secret from a service account and print the output when a push event occurs.

You need to set an ID for the step to access its outputs. See outputs.<output_id> .

Simple example

The following example shows how to use a service account to load (and print) a secret (as the SECRET env variable) from 1Password. When you print a secret, 1Password automatically replaces it with ***.

config.yml

Advanced example

The following example shows how to use a service account to load the username and token fields from the docker secret in 1Password (as DOCKERHUB_USERNAME and DOCKERHUB_TOKEN), then use them to log into Docker Hub.

config.yml

Connect

The following examples show how to load a secret from a Connect server and print the output when a push event occurs.

Simple example

The following example shows how to use a Connect server to load (and print) a secret (as the SECRET env variable) from 1Password. When you print a secret, 1Password automatically replaces it with ***.

config.yml

Advanced example

The following example shows how to use a Connect server to load the username and token fields from the docker secret in 1Password (as DOCKERHUB_USERNAME and DOCKERHUB_TOKEN), then use them to log into Docker Hub.

config.yml

Export secrets as environment variables

You can use the Load secrets from 1Password GitHub Action to use loaded secret outputted from the steps.step-id.outputs.secret-name.

Service account

The following examples show how to use a service account to load a 1Password secret as an environment variable.

Simple example

The following example shows how to use a service account to load a secret as an environment variable named SECRET. When you print a secret, 1Password automatically replaces it with ***.

config.yml

Advanced example

The following example shows how to use a service account to load the username and token fields from the docker secret in 1Password as environment variables named DOCKERHUB_USERNAME and DOCKERHUB_TOKEN, then uses them to log into Docker Hub.

It also loads the access-key-id and secret-access-key fields from the aws secret in 1Password as environment variables named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, then uses them to deploy to AWS.

config.yml

Connect

The folowing examples show how to use a Connect server to load a secret from 1Password as an environment variable.

Simple example

The following example shows how to use a Connect server to load a secret as an environment variable named SECRET. When you print a secret, 1Password automatically replaces it with ***.

config.yml

Advanced example

The following example shows how to use a Connect server to load the username and token fields from the docker secret in 1Password as environment variables named DOCKERHUB_USERNAME and DOCKERHUB_TOKEN, then uses them to log into Docker Hub.

It also loads the access-key-id and secret-access-key fields from the aws secret in 1Password as environment variables named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, then uses them to deploy to AWS.

config.yml

Troubleshooting

If you try to create items using 1Password CLI in your GitHub pipelines (without using load-secrets-action), the command fails with the following error:

For example, the following results in an error:

The pipeline environment is in piped mode. This triggers the CLI's pipe detection, which expects a piped input.

To create items in this environment, use a JSON template with your item details.

1. Get the template for the category of item you want to create:

2. Edit the template to add your information.

3. Pipe the item content to the command: