Use service accounts with 1Password CLI

You can use 1Password Service Accounts with 1Password CLI to manage vaults and items. See supported commands.

Requirements

Before you use service accounts with 1Password CLI, you need to:

• Sign up for 1Password.
• Install 1Password CLI.
  Service Accounts require 1Password CLI version 2.18.0 or later.
• Create a service account.

Get started

To use a service account with 1Password CLI:

1. Set the OP_SERVICE_ACCOUNT_TOKEN environment variable to the service account token:

   bash, sh, zsh

   fish

   Powershell

2. Run the following command to make sure the service account is configured:

   See result...

caution

If you have 1Password CLI configured to work with 1Password Connect, the OP_CONNECT_HOST and OP_CONNECT_TOKEN environment variables take precedence over OP_SERVICE_ACCOUNT_TOKEN.

Clear the Connect environment variables to configure a service account instead.

Supported commands

You can now run supported 1Password CLI commands authenticated as the service account:

• op read
• op inject
• op service-account ratelimit

• op run
• op vault create

To use the following commands, you must specify a vault with the --vault flag if the service account has access to more than one vault:

• op item

• op document

The following commands are only supported for vaults created by the service account:

• op vault delete
• op vault group grant
• op vault user grant

• op vault group revoke
• op vault user revoke

Unsupported commands

When using a service account, the following commands aren't supported:

• op group
• op user provision
• op user confirm
• op user suspend
• op user delete

• op events-api
• op vault edit

Although service accounts support some user, group, and vault management commands, we recommend against using them because a full provisioning workflow isn't supported:

• op user get
• op user list

• op group get
• op group list

Commands that make multiple requests

Service accounts have hourly and daily limits on the total number of requests the service account can make.

You can sometimes reduce the number of requests made by passing a vault or item's unique identifier (ID) instead of its name.

1Password CLI commands make one request unless otherwise noted. The following commands make more than one request:

Command	Total requests	Notes
op item list	1 + 1 per vault the service account has access to	To limit total requests to 3, list items in a specific vault using the --vault flag. Pass the vault's ID to further limit requests to 2.
op item get	3 reads	To reduce to 1 request, pass the item and vault IDs.
op item create	1 read and 1 write	To reduce to 1 request, pass the vault ID.
op item delete	5 reads and 1 write	To reduce the read requests by 1, pass the vault ID.
op item edit	5 reads and 1 write	To reduce the read requests by 1, pass the vault ID.
op read	3 reads	To reduce to 1 request, pass the item and vault IDs.
op vault delete	2 reads + 1 write	To reduce the read requests by 1, pass the vault ID.
op vault edit	up to 3 writes	The number of requests may vary depending on how many changes are made with a single command.
op vault get	2 reads	To reduce the read requests by 1, pass the vault ID.