1password-skill_skill

This skill guides secure use of 1Password for secrets management, including op CLI, Developer Environments, service accounts, and Kubernetes integration.
  • Python

16

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill julianobarbosa/claude-code-skills --skill 1password-skill

  • SKILL.md28.0 KB

Overview

This skill guides implementation of 1Password for secrets management across local development, CI/CD, and Kubernetes. It covers op CLI usage, service accounts for automation, Developer Environments for project variables, Python SDK patterns, and Kubernetes integrations. The content focuses on concrete commands, workflows, and integration patterns you can apply immediately.

How this skill works

It explains how to authenticate with the op CLI, read and inject secrets (op read, op run, op inject), manage items and vaults, and create service accounts that use OP_SERVICE_ACCOUNT_TOKEN for non-interactive automation. It also documents Developer Environments tooling (TypeScript/Bun and Python SDK) for storing environment variables and patterns to export templates, inject into processes, and resolve secrets at runtime with a SecretsManager. Kubernetes integration options include the 1Password Operator and External Secrets Operator.

When to use it

  • Retrieving secrets for local development or CI pipelines using op read, op run, or op inject
  • Automating CI/CD deployments with service accounts and OP_SERVICE_ACCOUNT_TOKEN
  • Managing project environment variables centrally using Developer Environments
  • Syncing secrets into Kubernetes using External Secrets Operator or native 1Password Operator
  • Resolving secrets at runtime inside Python apps with the Python SDK SecretsManager

Best practices

  • Use service accounts for automation and store the token in your platform's secret store (never in repo)
  • Prefer Developer Environments for project-wide environment variables and export op:// reference templates for injection
  • Use op run --env-file for ephemeral injection instead of persisting secrets to disk when possible
  • Choose the Python SDK for Python apps to avoid subprocess overhead and enable async batch resolution
  • Limit service account scope to required vault permissions and track created accounts

Example use cases

  • Local dev: export an op:// .env.tpl and run op run --env-file .env.tpl -- python app.py to inject secrets
  • CI/CD: create a service account, set OP_SERVICE_ACCOUNT_TOKEN in the runner, and use load-secrets-action to populate env vars
  • Kubernetes: sync vault items to cluster secrets using External Secrets Operator or install the 1Password Kubernetes Operator
  • Runtime secret resolution: use SecretsManager.get_many() in a FastAPI app to fetch and cache multiple secrets efficiently
  • Environment management: create, update, export, and delete Developer Environments with the provided CLI tools to standardize configs

FAQ

Use the Python SDK for native async calls inside Python applications, batch resolution with resolve_all(), and to avoid spawning subprocesses. Use the op CLI for shell scripts, ad-hoc tasks, or TypeScript/Bun tools.

How do I avoid exposing secrets in CI logs?

Use op run or the 1Password load-secrets action to inject secrets as environment variables and mark secrets as masked in CI. Never print secret values to logs and avoid checking generated .env files into version control.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational