{"id":18454333,"url":"https://github.com/1password/secrets-orb","last_synced_at":"2025-04-08T03:35:58.020Z","repository":{"id":63631334,"uuid":"542016306","full_name":"1Password/secrets-orb","owner":"1Password","description":null,"archived":false,"fork":false,"pushed_at":"2024-12-12T17:16:50.000Z","size":29,"stargazers_count":6,"open_issues_count":4,"forks_count":5,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-03-31T01:11:47.744Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/1Password.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2022-09-27T09:58:15.000Z","updated_at":"2025-03-18T17:31:02.000Z","dependencies_parsed_at":"2023-11-29T17:49:51.744Z","dependency_job_id":null,"html_url":"https://github.com/1Password/secrets-orb","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Fsecrets-orb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Fsecrets-orb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Fsecrets-orb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Fsecrets-orb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/1Password","download_url":"https://codeload.github.com/1Password/secrets-orb/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247773422,"owners_count":20993630,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T08:03:48.319Z","updated_at":"2025-04-08T03:35:58.010Z","avatar_url":"https://github.com/1Password.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 1Password Secrets Orb for CircleCI\n\n[![CircleCI Build Status](https://circleci.com/gh/1Password/secrets-orb.svg?style=shield \"CircleCI Build Status\")](https://circleci.com/gh/1Password/secrets-orb) [![CircleCI Orb Version](https://badges.circleci.com/orbs/onepassword/secrets.svg)](https://circleci.com/orbs/registry/orb/onepassword/secrets) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/1Password/secrets-orb/main/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs)\n\nWith the 1Password Secrets orb for CircleCI, you can load secrets from 1Password into CircleCI CI/CD pipelines and sync them automatically. Using this orb removes the risk of exposing plaintext secrets in code.\n\nYou can use the orb with [1Password Connect Server](https://developer.1password.com/docs/connect) or a [1Password Service Account](https://developer.1password.com/docs/service-accounts).\n\nThis orb is officially supported and maintained by 1Password, but community contributions are welcome.\n\nRead more on the [1Password Developer Portal](https://developer.1password.com/ci-cd/circle-ci).\n\n## Requirements\n\nBefore you get started, if you want to use Connect, you'll need to:\n\n- [Set up a Secrets Automation workflow](https://developer.1password.com/docs/connect/get-started#step-1-set-up-a-secrets-automation-workflow).\n- [Deploy 1Password Connect](https://developer.1password.com/docs/connect/get-started#step-2-deploy-1password-connect-server) in your infrastructure.\n- On the [CircleCI settings page](https://circleci.com/docs/settings/), set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to your Connect instance's credentials so that it'll be used to load secrets.\n\nIf you want to use Service Accounts, you'll need to:\n\n- [Create a service account.](https://developer.1password.com//docs/service-accounts/)\n- On the [CircleCI settings page](https://circleci.com/docs/settings/), set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable to your service account's credentials so that it'll be used to load secrets.\n\n**NOTE:** If either `OP_CONNECT_HOST` or `OP_CONNECT_TOKEN` environment variables have been set alongside `OP_SERVICE_ACCOUNT_TOKEN`, the Connect credentials will take precedence over the provided service account token. You must unset the Connect environment variables to ensure the action uses the service account token.\n\n## Usage examples\n\n### Install 1Password CLI within a Circle CI job\n\n1Password CLI needs to be available to the pipeline for the orb to function. You can install the CLI as the first step of a CircleCI job using the `1password/install-cli` command. Once installed, you can use 1Password CLI commands in subsequent steps in the pipeline.\n\n```yaml\nversion: 2.1\norbs:\n  1password: onepassword/secrets@1.0.0\n\njobs:\n  deploy:\n    machine:\n      image: ubuntu-2204:current\n    steps:\n      - 1password/install-cli\n      - checkout\n      - run:\n          shell: op run -- /bin/bash\n          environment:\n            AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id\n            AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key\n          command: |\n            echo \"This value will be masked: $AWS_ACCESS_KEY_ID\"\n            echo \"This value will be masked: $AWS_SECRET_ACCESS_KEY\"\n            ./deploy-my-app.sh\n\nworkflows:\n  deploy:\n    jobs:\n      - deploy\n```\n\nIf you want to use the orb with a [1Password Service Account](https://developer.1password.com/docs/service-accounts/), specify the 1Password CLI version (`2.18.0` or later).\n\n```yaml\nversion: 2.1\norbs:\n  1password: onepassword/secrets@1.0.0\n\njobs:\n  deploy:\n    machine:\n      image: ubuntu-2204:current\n    steps:\n      - 1password/install-cli:\n          version: 2.18.0\n      - checkout\n      - run:\n          shell: op run -- /bin/bash\n          environment:\n            AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id\n            AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key\n          command: |\n            echo \"This value will be masked: $AWS_ACCESS_KEY_ID\"\n            echo \"This value will be masked: $AWS_SECRET_ACCESS_KEY\"\n            ./deploy-my-app.sh\n\nworkflows:\n  deploy:\n    jobs:\n      - deploy\n```\n\n\u003cdetails\u003e\n    \u003csummary\u003eAnother example, with Docker\u003c/summary\u003e\n\n```yaml\ndescription: \u003e\n  Install 1Password CLI within a job and make it useable for all the commands following the installation.\nusage:\n  version: 2.1\n  orbs:\n    1password: onepassword/secrets@1.0.0\n  jobs:\n    deploy:\n      machine:\n        image: ubuntu-2204:current\n      steps:\n        - 1password/install-cli\n        - checkout\n        - run: |\n            docker login -u $(op read op://company/docker/username) -p $(op read op://company/docker/password)\n            docker build -t company/app:${CIRCLE_SHA1:0:7} .\n            docker push company/app:${CIRCLE_SHA1:0:7}\n  workflows:\n    deploy:\n      jobs:\n        - deploy\n```\n\n\u003c/details\u003e\n\n### Load secrets with the `1password/exec` command\n\nFirst, install 1Password CLI with `1password/install-cli`. Then use the `1password/exec` command to load secrets on demand and execute commands requiring secrets. Sensitive values that may be accidentally logged will be masked. After adding the `1password/exec` command as a step in your job, you can execute commands that require secrets.\n\n```yaml\nversion: 2.1\norbs:\n  1password: onepassword/secrets@1.0.0\n\njobs:\n  deploy:\n    machine:\n      image: ubuntu-2204:current\n    environment:\n      AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id\n      AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key\n    steps:\n      - checkout\n      - 1password/install-cli\n      - 1password/exec:\n          command: |\n            echo \"This value will be masked: $AWS_ACCESS_KEY_ID\"\n            echo \"This value will be masked: $AWS_SECRET_ACCESS_KEY\"\n            ./deploy-my-app.sh\nworkflows:\n  deploy:\n    jobs:\n      - deploy\n```\n\n### Load secrets with the `1password/export` command\n\nYou can use `1password/export` to resolve variables at the job level.\n\nFirst, install 1Password CLI with `1password/install-cli`. Then use the `1password/export` command to load the secrets with references exported in the environment. The secrets will then be available to subsequent steps of the job.\n\n_Note: Unlike `1password/exec`, the export command does not mask the secret values from the logs._\n\n```yaml\nversion: 2.1\norbs:\n  1password: onepassword/secrets@1.0.0\n\njobs:\n  deploy:\n    machine:\n      image: ubuntu-2204:current\n    steps:\n      - checkout\n      - 1password/install-cli\n      - 1password/export:\n          var-name: AWS_ACCESS_KEY_ID\n          secret-reference: op://company/app/aws/access_key_id\n      - 1password/export:\n          var-name: AWS_SECRET_ACCESS_KEY\n          secret-reference: op://company/app/aws/secret_access_key\n      - run:\n          command: |\n            echo \"This value will not be masked: $AWS_ACCESS_KEY_ID\"\n            echo \"This value will not be masked: $AWS_SECRET_ACCESS_KEY\"\n            ./deploy-my-app.sh\nworkflows:\n  deploy:\n    jobs:\n      - deploy\n```\n\n## Including the orb in your project\n\nTo include a specific version of the orb, add the following in your `config.yml` file (replace `1.0.0` with the desired version number):\n\n```yaml\norbs:\n  1password: onepassword/secrets@1.0.0\n```\n\nTo include the _latest_ version of 1Password Secrets orb in your project, add the following:\n\n```yaml\norbs:\n  1password: onepassword/secrets@volatile\n```\n\n## Masking\n\nWhen using either the `1password/exec` orb command or the [`op run`](https://developer.1password.com/docs/cli/reference/commands/run) shell wrapper, all secrets are automatically masked from the CI log output. If secrets accidentally get logged, they will be replaced with `\u003cconcealed by 1Password\u003e`.\n\nIf you use the `1password/export` command, secrets aren't masked.\n\n## Resources\n\n- [1Password Secrets orb CircleCI registry page \u003ci className=\"fas fa-external-link\"\u003e\u003c/i\u003e](https://circleci.com/orbs/registry/orb/onepassword/secrets). This official registry page contains information on all versions and commands.\n- Learn more about using [CircleCI orbs. \u003ci className=\"fas fa-external-link\"\u003e\u003c/i\u003e](https://circleci.com/docs/orb-intro/)\n\n## How to Contribute\n\nWe welcome creating [issues](https://github.com/1Password/secrets-orb/issues) in and [pull requests](https://github.com/1Password/secrets-orb/pulls) against the `secrets-orb` repository!\n\n## Security\n\n1Password requests you practice responsible disclosure if you discover a vulnerability.\n\nPlease file requests by sending an email to bugbounty@agilebits.com.\n\n## Getting help\n\nIf you find yourself stuck, visit our [**Support Page**](https://developer.1password.com/ci-cd) for help.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F1password%2Fsecrets-orb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F1password%2Fsecrets-orb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F1password%2Fsecrets-orb/lists"}