Skip to main content

USE 1PASSWORD

Prerequisites

  • 1Password CLI installed and in PATH
  • Authenticated via one of:
    • Service account: export OP_SERVICE_ACCOUNT_TOKEN=<token>
    • Desktop app: enable CLI integration in 1Password settings
    • Connect Server: export OP_CONNECT_HOST=<url> and export OP_CONNECT_TOKEN=<token>

Pull the Extension

swamp extension pull @swamp/1password

Create the Vault

swamp vault create @swamp/1password my-1password-vault \
    --config '{"op_vault": "Private"}'

The op_vault value is the name of the 1Password vault to store secrets in.

Store Secrets

swamp vault put my-1password-vault api-key sk-live-abc123
swamp vault put my-1password-vault db-password s3cret-p4ss

Secret key formats:

  • item-name — reads the password field of the named item
  • item-name/field — reads a specific field
  • op://vault/item/field — full 1Password URI (passthrough)

Annotate Secrets (Optional)

If the provider version supports annotations, attach provenance metadata to stored secrets.

swamp vault annotate my-1password-vault api-key \
    --url https://my-team.1password.com/vaults/abc123/allitems/def456 \
    --notes "Shared API key for CI" \
    --label env=ci --label team=platform

Only the fields you specify are updated. To add a label without changing the URL or notes:

swamp vault annotate my-1password-vault api-key --label owner=ops

To remove a label:

swamp vault annotate my-1password-vault api-key --remove-label owner

To remove all annotations from a secret:

swamp vault annotate my-1password-vault api-key --clear

Inspect Annotations

swamp vault inspect my-1password-vault api-key
INF vault·inspect Annotation for "api-key" in vault "my-1password-vault":
INF vault·inspect   url: "https://my-team.1password.com/vaults/abc123/allitems/def456"
INF vault·inspect   notes: "Shared API key for CI"
INF vault·inspect   label: "env"="ci"
INF vault·inspect   label: "team"="platform"
INF vault·inspect   updated: "2026-05-23T02:04:58.668Z"

Use --json for structured output.

Reference Secrets in Models

globalArguments:
  api_key: "${{ vault.get('my-1password-vault', 'api-key') }}"

See the Vaults reference for CEL integration, environment variable mounting, and the full CLI command reference.

← PreviousUse Azure Key VaultNext →Migrate a Vault