Skip to content
Latchkey

How to Load Secrets From a 1Password Service Account in GitHub Actions

1password/load-secrets-action resolves op:// references with a service account token and exports them as masked env vars.

Set OP_SERVICE_ACCOUNT_TOKEN, then use 1password/load-secrets-action with export-env: true. Map each env var to an op://vault/item/field reference.

Steps

  • Create a 1Password service account and store its token as a repo secret.
  • Add 1password/load-secrets-action with export-env: true.
  • Set each env var to an op://<vault>/<item>/<field> reference.
  • Read the resolved env vars (masked) in later steps.

Workflow

.github/workflows/ci.yml
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: 1password/load-secrets-action@v2
        with:
          export-env: true
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          DB_PASSWORD: op://ci/database/password
      - run: ./deploy.sh   # $DB_PASSWORD is set and masked

Gotchas

  • The service account must have read access to the referenced vault, or the lookup fails.
  • Use unset-previous: true to clear injected env vars after the dependent steps run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →