How to Load Secrets From a 1Password Service Account in GitHub Actions
1password/load-secrets-action resolves op:// references with a service account token and exports them as masked env vars.
Set OP_SERVICE_ACCOUNT_TOKEN, then use 1password/load-secrets-action with export-env: true. Map each env var to an op://vault/item/field reference.
Steps
- Create a 1Password service account and store its token as a repo secret.
- Add
1password/load-secrets-actionwithexport-env: true. - Set each env var to an
op://<vault>/<item>/<field>reference. - Read the resolved env vars (masked) in later steps.
Workflow
.github/workflows/ci.yml
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: 1password/load-secrets-action@v2
with:
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
DB_PASSWORD: op://ci/database/password
- run: ./deploy.sh # $DB_PASSWORD is set and maskedGotchas
- The service account must have read access to the referenced vault, or the lookup fails.
- Use
unset-previous: trueto clear injected env vars after the dependent steps run.
Related guides
How to Inject Secrets With the Doppler CLI in GitHub ActionsPull secrets from Doppler into a GitHub Actions job using the Doppler CLI and a service token, downloading th…
How to Pull HashiCorp Vault Secrets With vault-action in GitHub ActionsFetch secrets from HashiCorp Vault in a GitHub Actions job using hashicorp/vault-action, mapping KV v2 paths…