Skip to main content

run

Pass secrets as environment variables to a process.

Flags

Runs the given command in a subprocess. Environment variables of the parent process are passed down to the subprocess, with all secret references replaced with their corresponding secret value.

Masking

If secrets accidentally get printed by the subprocess to stdout or stderr, they'll automatically be concealed. You can turn off masking using the --no-masking flag.

Duplicate environment variables

If the same environment variable name exists in both the shell and the .env file, but are referencing different secrets, the variable set in the .env file will be used.

Use same .env file for multiple sets of secrets

You can set a $VARIABLE_NAME in your .env file to use the same file for different sets of secrets. This is useful, for example, when you have a set of secrets for the dev environment and another one for the production one.

You can use the following secret reference syntax to refer to secrets saved in 1Password:

The vault, item, section, and field references can be specified by name or ID.

For example, op://dev/Stripe/publishable-key references the publishable-key field (not part of any section) of the Stripe item in the dev vault.

You can specify each part of a secret reference using its name or ID. Reference names cannot contain special characters other than hyphens (-) and underscores (_). If any part of a secret reference includes a whitespace, enclose the entire secret reference in quotation marks.

1Password CLI cannot resolve duplicate names in secret references. Either rename the field, section, item, or vault to a unique name or specify them by ID instead.

You can use secret references to retrieve the content of item file fields. However, Document items can't be referenced.

When OP_CONNECT_HOST and OP_CONNECT_TOKEN are set, the configured Connect server is used to fetch secrets. When no Connect server is configured, secrets are fetched directly from 1password.com, which requires an op signin first.

Examples

Print secret value:

Specify a .env file and use it:

Note that in the first and second examples, the same environment variable DB_PASSWORD is set to different secrets. In this case the value set in the .env file will be used.

Use the same .env file for different sets of secrets:

Was this page helpful?