Skip to main content

run

Pass secrets as environment variables to an application or script.

Flags

Use op run to securely load project secrets from 1Password, then run a provided command in a subprocess with the secrets made available as environment variables only for the duration of the subprocess.

To limit which 1Password items processes in your authorized terminal session can access, make sure to authenticate 1Password CLI with a service account that only has access to the required secrets. You can scope service accounts to specific vaults and 1Password Environments.

Learn more about service accounts.

Learn more about loading secrets with op run.

Load secrets using secret references

op run can scan environment variables and files for secret references, then load the provided command with the referenced secrets made available as environment variables.

Secret references are URIs that point to the ID or name of the vault, item, section, and field where a secret is stored in 1Password. You can export environment variables to secret references on the command line or using an .env file.

Secrets printed to stdout or stderr are concealed by default. Include the --no-masking flag to turn off masking.

When referencing an environment variable assigned to a secret reference within a command, op run must replace the reference with the actual secret value before the variable expands. To make sure this order of operations is followed, run the command that expands the variable in a subshell.

Load variables from environments Beta

note

The --environments flag is available in the latest beta build of 1Password CLI, version 2.33.0-beta.02 or later.

Use op run with the --environments flag and an Environment's ID to load variables from a 1Password Environment.

To find an Environment's ID, open the 1Password app, navigate to Developer > View Environments > then select View environment > Manage environment > Copy environment ID.

Load variables from a 1Password Environment:

Environment variable precedence

If the same environment variable name exists in multiple sources, the source with higher precedence takes effect. Precedence from highest to lowest:

  1. 1Password Environments (--environment)
  2. Environment files (--env-file)
  3. Shell environment variables

If the same environment variable name exists in multiple environment files, the last environment file takes precedence.

If the same environment variable name exists in multiple 1Password Environments, the last Environment specified takes precedence.

Examples

Print secret value:

Specify an environment file and use it:

Use variables in secret references to switch between different sets of secrets for different environments:

Was this page helpful?