{"id":1313,"date":"2025-05-15T13:00:37","date_gmt":"2025-05-15T13:00:37","guid":{"rendered":"http:\/\/www.diveintoaccessibility.com\/?p=1313"},"modified":"2025-05-19T16:24:16","modified_gmt":"2025-05-19T16:24:16","slug":"secure-secret-management-with-1password-cli","status":"publish","type":"post","link":"http:\/\/www.diveintoaccessibility.com\/index.php\/2025\/05\/15\/secure-secret-management-with-1password-cli\/","title":{"rendered":"Secure Secret Management with 1Password CLI"},"content":{"rendered":"

As developers, we often deal with sensitive data like API keys, SSH credentials, database passwords, and other secrets. Keeping them secure while ensuring easy access across different projects can be a challenge.<\/p>\n

This is where 1Password<\/a>\u2018s\u2019 CLI comes in.<\/p>\n

\"1Password <\/figure>\n

1Password CLI<\/strong> is a command-line tool<\/a> that allows you to securely access and manage your 1Password vault without leaving the terminal. Instead of manually copying and pasting secrets, which can be tedious and risky, you can fetch credentials programmatically, automate authentication workflows, and integrate secrets management into your development processes.<\/p>\n

In this article, we\u2019ll explore how to install, configure, and use 1Password CLI to streamline your workflow while keeping your credentials secure.<\/p>\n

\n

Getting Started<\/h2>\n

If you\u2019re on macOS or Linux, the easiest way to install 1Password CLI is using Homebrew<\/a>:<\/p>\n

\r\nbrew install 1password-cli\r\n<\/pre>\n
If you\u2019re on Windows, I recommend referring to the official 1Password CLI documentation<\/a> for installation instructions.<\/p>\n
For Windows and Linux, follow the official 1Password CLI installation guide to get the appropriate setup for your system.<\/p>\n
Once installed, go to Settings\u2026 > Developer<\/strong><\/q> in the 1Password app, and check Integrate with 1Password CLI<\/strong><\/q>.<\/p>\n
 \"Enable <\/figure>\n
Then, sign in through the Terminal with the following command and select the 1Password account you want to sign in to:<\/p>\n
\r\nop signin\r\n<\/pre>\n
Now, you\u2019re ready to securely access and manage secrets without exposing them in plain text.<\/p>\n
\n
Command-Line Secret Management<\/h2>\n
When running commands that require authentication, manually copying and pasting credentials can be both tedious and insecure. With 1Password CLI, you can retrieve secrets dynamically using the op read<\/code> command and the Secret References<\/strong><\/q>.<\/p>\n
To get the Secret Reference<\/q>, you can click on the dropdown arrow of the value within the item you\u2019d like to refer to in 1Password<\/strong>.<\/p>\n
 \"Copy <\/figure>\n
Then pass it in the command that requires the secrets. For example, to authenticate with doctl<\/strong><\/q> using the DigitalOcean API<\/a> token, you can run:<\/p>\n
\r\ndoctl auth init --access-token $(op read op:\/\/Internet\/d439ada\/token)\r\n<\/pre>\n
\n
Environment Variables Integration<\/h2>\n
Another way you can use 1Password CLI is by setting the secrets as environment variables. This is useful when working with multiple secrets or when you need to pass them to a script or a program.<\/p>\n
If you\u2019re using Chromatic<\/a> to test your UI components, you can set the CHROMATIC_PROJECT_TOKEN<\/code> as an environment variable using the op read<\/code> command:<\/p>\n
\r\n#!\/bin\/bash\r\nexport NPM_TOKEN=$(op read op:\/\/Internet\/d439ada\/npm_token)\r\nexport CHROMATIC_PROJECT_TOKEN=$(op read op:\/\/Internet\/d439ada\/chromatic_token)\r\n\r\n\/\/ Install the dependencies, including the private ones that require NPM_TOKEN.\r\nnpm install\r\n\r\n\/\/ Chormatic will automatically use the CHROMATIC_PROJECT_TOKEN.\r\n\/\/ @see https:\/\/www.chromatic.com\/docs\/cli\/#continuous-integration\r\nnpx chromatic\r\n<\/pre>\n
Then, you can run the script using the op run<\/code> command, as follows:<\/p>\n
\r\nop run -- bash chormatic.sh\r\n<\/pre>\n
\n
Shell Plugin Extensions<\/h2>\n
To make it even more seamless, you can use the Shell Plugins to integrate 1Password with popular third-party apps such as Github CLI<\/a>, Docker<\/a>, DigitalOcean CLI<\/a>, AWS<\/a>, HuggingFace<\/a>, OpenAI<\/a>, and many more.<\/p>\n
In this example, we are going to try to integrate it with the Github CLI. To do so, we can run:<\/p>\n
\r\nop plugin init gh\r\n<\/pre>\n
You\u2019ll be prompted to import your GitHub credentials into 1Password or select an existing 1Password item where your credentials are saved. In this case, since we\u2019ve already saved the GitHub credentials in 1Password, we can select the existing item.<\/p>\n
 \"Initialize <\/figure>\n
Then, it will ask you the scope where the selected credentials can be used. In this case, we\u2019d select it to use it globally so that we can use it across different repositories.<\/p>\n
 \"Configure <\/figure>\n
If this is your first time installing a shell plugin, you\u2019ll need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:<\/p>\n
\r\necho \"source \/Users\/jondoe\/.config\/op\/plugins.sh\" >> ~\/.zshrc && source ~\/.zshrc\r\n<\/pre>\n
That\u2019s it for the setup! Now, you can use the gh<\/strong><\/q> command to interact with GitHub without exposing your credentials in plain text. To test it out you can run the gh auth status<\/code>.<\/p>\n
 \"GitHub <\/figure>\n
\n
Conclusion<\/h2>\n
1Password CLI<\/strong> is a powerful tool that allows you to securely access and manage your secrets from the Terminal. With a little bit of setup, you can streamline your workflow and integrate secrets management into your development processes with other apps without exposing your credentials in plain text. If you haven\u2019t tried it yet, I recommend giving it a try to make your development workflow more secure and efficient.<\/p>\n
The post Secure Secret Management with 1Password CLI<\/a> appeared first on Hongkiat<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
As developers, we often deal with sensitive data like API keys, SSH credentials, database passwords, and other secrets. Keeping them secure while ensuring easy access […]<\/p>\n","protected":false},"author":1,"featured_media":1315,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/posts\/1313"}],"collection":[{"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/comments?post=1313"}],"version-history":[{"count":3,"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/posts\/1313\/revisions"}],"predecessor-version":[{"id":1322,"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/posts\/1313\/revisions\/1322"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/media\/1315"}],"wp:attachment":[{"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/media?parent=1313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/categories?post=1313"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.diveintoaccessibility.com\/index.php\/wp-json\/wp\/v2\/tags?post=1313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}