Managing Secrets with 1Password CLI

While using a .env file or exporting environment variables is convenient for initial testing, the recommended best practice for managing sensitive data like private keys and API tokens is to use a dedicated secrets manager.

This guide explains how to use 1Password CLI to securely inject secrets into your workflow's environment at runtime, ensuring your secrets are never stored in plaintext on your filesystem.

Prerequisites

Before you begin, ensure you have:

  1. Installed 1Password CLI: Follow the 1Password CLI installation guide.
  2. Stored Your Secret in 1Password: Save the secret you need (e.g., your CRE_ETH_PRIVATE_KEY) in a vault that your 1Password CLI is configured to access.

Step 1: Get the secret reference

A secret reference is a unique URI that points to a specific field in an item in your 1Password vault.

  1. Open the 1Password desktop app.
  2. Find the item containing your secret.
  3. Right-click on the specific field (e.g., the private key field).
  4. Select Copy Secret Reference.

Your clipboard will now contain a reference, which is a safe, non-secret string that looks like this: op://<vault-name>/<item-name>/<field-name>

Step 2: Use the secret reference in your .env file

Open your project's .env file and replace the plaintext secret with the secret reference you just copied.

Before:

# .env
CRE_ETH_PRIVATE_KEY=0x123...abc

After:

# .env
CRE_ETH_PRIVATE_KEY="op://Private/Sepolia-Dev-Key/private key"

Step 3: Run commands with op run

The op run command is a utility that loads the secrets from your references into the environment and then executes your command, ensuring the secrets only exist in memory for the duration of the process.

For local simulation

To run your workflow simulation, prefix your command with op run --env-file ../.env --:

op run --env-file ../.env -- cre workflow simulate my-workflow --target staging-settings

For deployed workflows

To upload secrets to the Vault DON, use the same pattern:

op run --env-file .env -- cre secrets create production-secrets.yaml --target production-settings

What's happening here?

  • op run scans the .env file for any op:// references.
  • It securely authenticates with 1Password to fetch the real secret values.
  • It injects these values as environment variables into a new, temporary sub-shell.
  • It then executes your cre command within that secure sub-shell.
  • When the command finishes, the sub-shell is destroyed, and the secrets vanish from the environment.

By following this pattern, you can manage your secrets securely without ever exposing them in plaintext. For more advanced use cases, see the official 1Password CLI documentation.

Get the latest Chainlink content straight to your inbox.