Use the 1Password provider for Pulumi

You can use the 1Password provider for Pulumi to access and manage items in your 1Password vaults.

Requirements

The provider can be configured to authenticate with a service account, a Connect server, or with your 1Password account details.

Service account

1Password Service Accounts allow you to restrict the provider's access to specific vaults in your 1Password account, so you can follow the principle of least privilege in your project.

To use a service account with the 1Password provider for Pulumi, you'll need:

• 1Password subscription
• 1Password CLI
• 1Password service account

Connect server

1Password Connect Servers are a good authentication option when you need unlimited requests and use self-hosted infrastructure.

Connect servers allow you to restrict the provider's access to specific vaults in your 1Password account, so you can follow the principle of least privilege in your project.

To use a Connect server with the 1Password provider for Pulumi, you'll need:

• 1Password subscription
• 1Password Connect server

Account details

When you configure the provider with your 1Password account details, the provider can access any vault in your account, and you can use Touch ID, Windows Hello, or another system authentication option with the provider.

To use your account details with the 1Password provider for Pulumi, you'll need:

• 1Password subscription
• 1Password CLI
• 1Password desktop app*
• 1Password app integration*

* To authenticate with Touch ID, Windows Hello, or another system authentication option.

Step 1: Install the 1Password provider for Pulumi

With a package manager

Node.js

To use the provider with JavaScript or TypeScript in Node.js, install using either npm or yarn:

npm

yarn

Python

To use the provider with Python, install using pip:

Go

To use the provider with Go, use go get to download the latest version:

With the provider binary

To install the 1Password provider binary, use the pulumi plugin command:

Step 2: Configure the provider with your credentials

You can provide your 1Password credentials to Pulumi in the environment or in your Pulumi configuration. Your Pulumi configuration is a good option if you want to store your credentials alongside your Pulumi stack for multi-user access.

Service account

1. Create a service account or find the token for an existing service account. Make sure the service account has access to the appropriate vaults and adequate permissions in those vaults.

2. Provide the token to Pulumi using either an environment variable or your Pulumi configuration.

   Environment variable

   Bash, Zsh, sh

   fish

   PowerShell

   Pulumi configuration

   See result...

   Make sure to pass --secret when setting sensitive data.

3. Install 1Password CLI in your PATH. If you install the CLI outside of your PATH, specify the path to your 1Password CLI binary using either an environment variable or your Pulumi configuration.

   Environment variable

   Bash, Zsh, sh

   fish

   PowerShell

   Pulumi configuration

   See result...

Connect server

1. Create a Connect server or find the host URL and token for an existing Connect server.

2. Provide the host URL and token to Pulumi using either environment variables or your Pulumi configuration.

   Environment variables

   Bash, Zsh, sh

   Host URL

   Token

   fish

   Host URL

   Token

   PowerShell

   Host URL

   Token

   Pulumi configuration

   Host URL

   See result...

   Token

   See result...

   Make sure to pass --secret when setting sensitive data.

Account details

1. Find the sign-in address or unique identifier for your 1Password account.

2. Provide your account sign-in address or identifier to Pulumi using an environment variable or your Pulumi configuration.

   Environment variable

   Bash, Zsh, sh

   fish

   PowerShell

   Pulumi configuration

   See result...

   Make sure to pass --secret when setting sensitive data.

3. Install 1Password CLI in your PATH. If you install the CLI outside of your PATH, specify the path to your 1Password CLI binary using either an environment variable or your Pulumi configuration.

   Environment variable

   Bash, Zsh, sh

   fish

   PowerShell

   Pulumi configuration

   See result...

4. To use Touch ID, Windows Hello, or another system authentication option with the provider, turn on the 1Password CLI app integration.

Step 3: Use the provider

See Pulumi's documentation to learn how to access and manage your items using the 1Password provider.

Reference

You can use either Pulumi configuration keys or environment variables to provide your 1Password credentials to Pulumi.

Configuration key	Environment variable	Description	Authentication method
pulumi-onepassword:service_account_token	OP_SERVICE_ACCOUNT_TOKEN	The string value of your 1Password Service Account token.	Service account
pulumi-onepassword:url	OP_CONNECT_HOST	The URL where your 1Password Connect Server can be found. For example: http://localhost:8080.	Connect server
pulumi-onepassword:token	OP_CONNECT_TOKEN	The string value of your Connect server token.	Connect server
pulumi-onepassword:account	OP_ACCOUNT	A 1Password account sign-in address or unique identifier.	Account details
pulumi-onepassword:op_cli_path	OP_CLI_PATH	The path to your 1Password CLI binary. Only required if 1Password CLI binary is located outside of your PATH.	Service account Account details