Use 1Password CLI with a Connect server
You can use 1Password CLI with a Connect server to provision secrets and retrieve items on the command line.
Requirements
Before you can use 1Password CLI with a Connect server, you must:
- Sign up for 1Password.
- Deploy 1Password Connect.
- Make a Connect server accessible to your production environment.
- Install 1Password CLI in your production environment.
- Set the
OP_CONNECT_HOST
andOP_CONNECT_TOKEN
environment variables to a Connect instance's credentials in your production environment.
Get started
After you complete the requirement steps, you can use the following 1Password CLI commands with a Connect server:
Vist the command documentation for more information.
Continuous integration (CI) environments
You can also use 1Password CLI with a Connect server in a continuous integration (CI) pipeline. 1Password CLI allows you to use secret references in place of plaintext secrets in code. You can configure a CI environment to pass different sets of secrets for different environments.
Secret references work well within infrastructure as code tools and CI configurations because you can define them alongside other configurations.
GitLab CI example
The following code block shows an example GitLab CI configuration file that implements a MySQL service. See GitLabs .gitlab-ci.yml
documentation .
.gitlab-ci.yml
To authenticate 1Password CLI in the CI pipeline, add the OP_CONNECT_HOST and OP_CONNECT_TOKEN environment variables to a CI configuration file. The presence of these environment variables tells 1Password CLI to use the Connect server to fetch secrets.
The following code block expands the GitLab CI example to include the Connect environment variables.
.gitlab-ci.yml
Learn more
Replace plaintext secrets with secret references
Learn how to create and use secret references to avoid putting plaintext secrets in code.
Load secrets into the environment
Learn how to source secrets from the environment into your applications.
Load secrets into config files
Learn how to load secrets automatically into config files without putting any plaintext secrets in code.