1. Resources
  2. /
  3. Plugins
  4. /
  5. 1password-secrets-buildkite-plugin

1Password Secrets Buildkite Plugin

A Buildkite Plugin to read secrets from 1Password using the 1Password CLI.

It uses 1Password Connect Server and requires the host details and an access token to access the instance.

Example

steps:
  - command: 'echo \$SECRET_A'
    plugins:
      - tapendium/1password-secrets#v2.3.0:
          connect_host: http://secrets.services.local
          connect_token: arn:aws:secretsmanager:aws-region:1234567890:secret:api-token-secret-name
          env:
            SECRET_A: "op://<vault>/<item>[/<section>]/<field>"
            SECRET_B: "op://production/database/password"

Setting Connect Server host details and API token via environment variables

Connect Server host OP_CONNECT_HOST and/or API token OP_CONNECT_TOKEN may be set directly as environment variables

steps:
  - command: 'echo \$SECRET_A'
    plugins:
      - tapendium/1password-secrets#v2.3.0:
          env:
            SECRET_A: "op://<vault>/<item>[/<section>]/<field>"
            SECRET_B: "op://production/database/password"

Injecting secrets into files

Secrets can be injected directly into files which include secret references.

steps:
  - command: 'echo \$SECRET_A'
    plugins:
      - tapendium/1password-secrets#v2.3.0:
          file:
            - path: fileWithSecretReferences

Injecting secrets into files with specified output file

Secrets can be injected into a template file containing secret references and written to a specified output file.

steps:
  - command: 'echo \$SECRET_A'
    plugins:
      - tapendium/1password-secrets#v2.3.0:
          file:
            - path: fileWithSecretReferences
              out: outputFileWithResolvedSecrets

Developing

To run the tests:

docker-compose run --rm tests

License

MIT

The plugins listed on this webpage are provided for informational purposes only. They have not undergone any formal security review or assessment. While we strive to provide useful resources, we cannot guarantee the safety, reliability, or integrity of these plugins. Users are strongly advised to conduct their own security evaluations before downloading, installing, or using any plugin. By using these plugins, you acknowledge and accept any risks associated with their use. We disclaim any liability for any harm or damages arising from the use of the plugins listed.

Start turning complexity into an advantage

Create an account to get started with a 30-day free trial. No credit card required.

Buildkite Pipelines

Platform

  1. Pipelines
  2. Pipeline templates
  3. Public pipelines
  4. Test Engine
  5. Package Registries
  6. Mobile Delivery Cloud
  7. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Webinars
  5. Plugins
  6. Case studies
  7. Events
  8. Migration Services
  9. Comparisons

Company

  1. About
  2. Careers
  3. Press
  4. Brand assets
  5. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for AI/ML
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2025