1Password Cheat Sheet
Overview
1Password is a password management and secrets automation platform that securely stores passwords, API keys, SSH keys, credit cards, and other sensitive data with end-to-end encryption. Beyond personal password management, 1Password offers developer-focused tools including a CLI, SSH agent, secrets automation for CI/CD, and Connect Server for infrastructure secrets injection.
1Password provides team and enterprise features including shared vaults, fine-grained access controls, event logging, SCIM provisioning, and SSO integration. The 1Password CLI (op) enables scriptable access to vault items, while 1Password Connect and Service Accounts provide machine-to-machine secrets management for DevOps workflows.
Installation
# CLI - macOS
brew install 1password-cli
# CLI - Linux (Debian/Ubuntu)
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/amd64 stable main" | \
sudo tee /etc/apt/sources.list.d/1password.list
sudo apt update && sudo apt install 1password-cli
# CLI - Arch Linux
sudo pacman -S 1password-cli
# Verify installation
op --version
# 1Password Connect Server (Docker)
docker pull 1password/connect-api
docker pull 1password/connect-syncCLI Authentication
# Sign in interactively
eval $(op signin)
# Sign in with service account token
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
# Check who is signed in
op whoami
# List accounts
op account list
# Sign out
op signoutVault Operations
# List vaults
op vault list
# Get vault details
op vault get "Personal"
# Create a vault
op vault create "DevOps Secrets" --description "Infrastructure credentials"
# List items in a vault
op item list --vault "Personal"
# Search across all vaults
op item list --tags "production"Item Management
# Get an item
op item get "GitHub Token"
# Get specific field
op item get "GitHub Token" --fields password
op item get "GitHub Token" --fields label=token
# Get as JSON
op item get "GitHub Token" --format json
# Get OTP
op item get "GitHub" --otp
# Create a login item
op item create \
--category login \
--title "Production Database" \
--vault "DevOps Secrets" \
--url "https://db.example.com" \
username=admin \
password=SecureP@ss123!
# Create with generated password
op item create \
--category login \
--title "New Service" \
--vault "DevOps Secrets" \
--generate-password=32,letters,digits,symbols
# Create a secure note
op item create \
--category "Secure Note" \
--title "Deployment Runbook" \
--vault "DevOps Secrets" \
notesPlain="Step 1: ..."
# Create an API credential
op item create \
--category "API Credential" \
--title "Stripe API Key" \
--vault "DevOps Secrets" \
credential="sk_live_..."
# Edit an item
op item edit "Production Database" password="NewPassword456!"
# Delete an item
op item delete "Old Credential"
# Move item to different vault
op item move "GitHub Token" --current-vault "Personal" --destination-vault "DevOps Secrets"Secret References
# Use secret references in shell
export DB_PASSWORD=$(op read "op://DevOps Secrets/Production Database/password")
export API_KEY=$(op read "op://DevOps Secrets/Stripe API Key/credential")
# Secret reference format: op://vault/item/field
# Inject secrets into a command
op run --env-file=.env -- ./start-server.sh
# .env file with references
# DATABASE_URL=op://DevOps Secrets/Production Database/url
# API_KEY=op://DevOps Secrets/Stripe API Key/credential
# SMTP_PASSWORD=op://DevOps Secrets/Email Service/passwordSSH Agent
# Enable SSH agent in ~/.ssh/config
# Host *
# IdentityAgent "~/.1password/agent.sock"
# Add SSH key to 1Password
op item create \
--category "SSH Key" \
--title "GitHub Deploy Key" \
--vault "DevOps Secrets" \
--ssh-generate --ssh-key-type ed25519
# List SSH keys
op item list --categories "SSH Key"
# Get public key
op item get "GitHub Deploy Key" --fields "public key"Service Accounts
# Create service account (via web UI or API)
# Then use the token
export OP_SERVICE_ACCOUNT_TOKEN="ops_eyJhbG..."
# Service accounts can:
op vault list
op item get "Production Database" --vault "DevOps Secrets"
op read "op://DevOps Secrets/Production Database/password"1Password Connect
# docker-compose.yml
services:
connect-api:
image: 1password/connect-api:latest
ports:
- "8080:8080"
volumes:
- ./1password-credentials.json:/home/opuser/.op/1password-credentials.json
- data:/home/opuser/.op/data
environment:
- OP_CONNECT_TOKEN
connect-sync:
image: 1password/connect-sync:latest
volumes:
- ./1password-credentials.json:/home/opuser/.op/1password-credentials.json
- data:/home/opuser/.op/data
volumes:
data:# Use Connect API
curl -H "Authorization: Bearer $OP_CONNECT_TOKEN" \
http://localhost:8080/v1/vaults
curl -H "Authorization: Bearer $OP_CONNECT_TOKEN" \
http://localhost:8080/v1/vaults/VAULT_ID/items
curl -H "Authorization: Bearer $OP_CONNECT_TOKEN" \
http://localhost:8080/v1/vaults/VAULT_ID/items/ITEM_IDCI/CD Integration
GitHub Actions
name: Deploy
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: 1password/load-secrets-action@v2
with:
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
DB_PASSWORD: op://DevOps/Production DB/password
API_KEY: op://DevOps/API Service/credential
- run: ./deploy.shDocker / Kubernetes
# Inject secrets at container runtime
op run --env-file=.env -- docker run myapp
# Kubernetes External Secrets Operator
# Use 1Password Connect as a secrets backendAdvanced Usage
Document Management
# Upload a document
op document create ./certificate.pem \
--title "TLS Certificate" \
--vault "DevOps Secrets"
# Download a document
op document get "TLS Certificate" --out-file ./cert.pem
# List documents
op document listPassword Generation
# Generate password
op item create --generate-password=24,letters,digits,symbols --dry-run
# Generate in script
PASSWORD=$(op generate password --length 32)
# Generate passphrase
PASSPHRASE=$(op generate password --recipe words,4,en)Events and Audit
# List sign-in events
op events list --limit 50
# List item usage events
op events list --event-type item_usage --limit 20Configuration
# Environment variables
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
export OP_CONNECT_HOST="http://localhost:8080"
export OP_CONNECT_TOKEN="eyJhb..."
# Configure default vault
op vault list # Find vault ID
# Use --vault flag or reference in op:// URIsTroubleshooting
| Issue | Solution |
|---|---|
not signed in | Run eval $(op signin) or set OP_SERVICE_ACCOUNT_TOKEN |
| Session expired | Re-authenticate; sessions expire after 30 minutes |
| Item not found | Check vault name/ID; use op item list to verify |
| Permission denied | Verify vault access for your account or service account |
| SSH agent not working | Check IdentityAgent path in SSH config; restart 1Password |
| Connect API 401 | Verify Connect token; check credentials file is mounted |
| Secret reference fails | Verify format: op://vault-name/item-name/field-name |
| CLI slow on first run | First run downloads data; subsequent runs use local cache |