Published on

Using 1Password to Manage Environmental Variables


Recently, I was working on automating my personal finance workflows, like logging into my bank accounts and doing screen scraping of recent transactions, and paying bills (why not let the robot do it 😅)

For that, I needed to have access to my bank or credit card details within my app.

We all know that we can't use plain environmental variables or even store them locally with .gitignore, since those informations are very critial.

That's where 1Password comes in.

If you're already using 1Password, why not use it for your private environmental variables as well?

You get all the benefits of 1Password without compromising your developer experience.

Here's how to do it:

Step 0: Install 1Password CLI & Sign In

We'll be using 1Password CLI under the hood to get your credentials from 1Password. In Mac, you can install it using

brew install --cask 1password/tap/1password-cli

To verify if it's properly installed, run:

op --version

If you're on other operation systems, you can refer to the docs on how to install

Once the installation is done, you need to enable Connect with 1Password CLI in the preferences.

Step 1: Referencing 1Password Item Secrets in Your Env Variables

The secret references will follow this format:

export EXAMPLE="op://vault/item/[section/]field"

Let's take an example use case in which we'll need our bank credentials from 1Password. In that case, we'll need to have something like this in our env variable, whether it's in a bash/zsh file or a .env file locally:

export ABC_BANK_USER_NAME="op://Personal/ABC_BANK/username"
export ABC_BANK_PASSWORD="op://Personal/ABC_BANK/password"

In the above case, my vault name is "Personal" and the item name is "ABC_BANK". But realistically, we might have item names with spaces or some characters in them. It's better to use the item id instead.

You'll need to enable Show debugging tools in the 1Password preferences:

Now you can easily copy the item id from your 1Password item:

Step 2: Injecting you real secret

At runtime, secret references will be replaced with the actual secrets that you have in 1Password.

To do that, you'll need to use op run and pass it to the application that you're running.

Using Export Environment Variables Directly

In our above example, we were using simple export of environment variables. In that case, we'll need to run op run -- with our command for starting the app:

op run -- example_cli

Using environment (.env) files

This is similar. We'll need to pass the --env-file flag

op run --env-file="./.env" -- aws


Happy secure secrets!