> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt)

# onepassword/secrets

Load secrets from 1Password into your CircleCI jobs, through a Connect server, deployed in your infrastructure.
For more information about setting up Secrets Automation and deploying Connect, check out the 1Password Developer Documentation.


## Commands

### exec

Run a command with secret environment variables loaded from 1Password

| Parameter | Type | Default | Description |
|---|---|---|---|
| `command` | string |  | Command to execute with secrets |
| `flags` | string |  | Flags to pass to the `op run` command |
| `step-name` | string |  | Title of the step to show in the CircleCI UI |

### export

Load a secret and make it available as an environment variable for next steps within the same job. Unlike the 1password/exec command, 1password/export does not conceal secrets from the logs.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `secret-reference` | string |  | Reference to where the secret is stored in 1Password |
| `var-name` | string |  | Name of the environment variable to populate with the secret |

### install-cli

Install the 1Password CLI. Defaults to latest stable version.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `path` | string | /usr/local/bin/ | Path where 1Password CLI will be installed |
| `shell` | string | /bin/bash -eo pipefail | The shell used to run the install script |
| `version` | string | 2.7.1 | Version of 1Password CLI that will be installed |

## Examples

### exec

Use the 1password/exec command to install the op CLI, load secrets on demand and execute commands requiring secrets. Sensitive values that may be accidentally logged will be masked.


```yaml
version: '2.1'
orbs:
  1password: onepassword/secrets@1.0.0
jobs:
  deploy:
    environment:
      AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
      AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
    machine:
      image: ubuntu-2204:current
    steps:
      - 1password/install-cli
      - checkout
      - 1password/exec:
          command: |
            echo "This value will be masked: $AWS_ACCESS_KEY_ID"
            echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
            ./deploy-my-app.sh
workflows:
  deploy:
    jobs:
      - deploy
```

### export

Use the 1password/export command to load the secrets with references exported in the environment, and make the available to the subsequent steps of the job. Unlike 1password/exec, the export command does not mask the secret values from the logs.


```yaml
version: '2.1'
orbs:
  1password: onepassword/secrets@1.0.0
jobs:
  deploy:
    machine:
      image: ubuntu-2204:current
    steps:
      - 1password/install-cli
      - checkout
      - 1password/export:
          secret-reference: op://company/app/aws/access_key_id
          var-name: AWS_ACCESS_KEY_ID
      - 1password/export:
          secret-reference: op://company/app/aws/secret_access_key
          var-name: AWS_SECRET_ACCESS_KEY
      - run:
          command: |
            echo "This value will not be masked: $AWS_ACCESS_KEY_ID"
            echo "This value will not be masked: $AWS_SECRET_ACCESS_KEY"
            ./deploy-my-app.sh
workflows:
  deploy:
    jobs:
      - deploy
```

### install-cli

Install the op CLI within a job and make it useable for all the steps following the installation.


```yaml
version: '2.1'
orbs:
  1password: onepassword/secrets@1.0.0
jobs:
  deploy:
    machine:
      image: ubuntu-2204:current
    steps:
      - 1password/install-cli
      - checkout
      - run: >
          docker login -u $(op read op://company/docker/username) -p $(op read
          op://company/docker/password)

          docker build -t company/app:${CIRCLE_SHA1:0:7} .

          docker push company/app:${CIRCLE_SHA1:0:7}
workflows:
  deploy:
    jobs:
      - deploy
```

### override-shell-job

Install the op CLI and use it as shell at a job level. In this way, secret injection in other orbs is possible.


```yaml
version: '2.1'
orbs:
  1password: onepassword/secrets@1.0.0
  docker: circleci/docker@2.1.4
jobs:
  deploy:
    environment:
      AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
      AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
    machine:
      image: ubuntu-2204:current
    shell: op run -- /bin/bash
    steps:
      - 1password/install-cli:
          shell: /bin/bash -eo pipefail
      - checkout
      - docker/build:
          image: company/app
          step-name: build image
          tag: ${CIRCLE_SHA1:0:7}
      - docker/push:
          image: company/app
          step-name: publish image
          tag: ${CIRCLE_SHA1:0:7}
workflows:
  deploy:
    jobs:
      - deploy
```

### override-shell-step

Install the op CLI and set it as the shell on the run command level.


```yaml
version: '2.1'
orbs:
  1password: onepassword/secrets@1.0.0
jobs:
  deploy:
    machine:
      image: ubuntu-2204:current
    steps:
      - 1password/install-cli
      - checkout
      - run:
          command: |
            echo "This value will be masked: $AWS_ACCESS_KEY_ID"
            echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
            ./deploy-my-app.sh
          environment:
            AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
            AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
          shell: op run -- /bin/bash
workflows:
  deploy:
    jobs:
      - deploy
```