Skip to content
Latchkey

op inject: Render Templates with 1Password Secrets

op inject reads a template containing op:// references and writes it back with each reference replaced by the resolved secret.

Where op run injects into a process environment, op inject fills in a config file or manifest. It is handy for rendering .env, kubeconfig, or app config from a checked-in template.

What it does

op inject scans its input for op://<vault>/<item>/<field> references and replaces each with the resolved secret value, writing the rendered result to stdout or a file. The template with references is safe to commit; the rendered output is not.

Common usage

Terminal
export OP_SERVICE_ACCOUNT_TOKEN=ops_...
op inject -i config.tpl -o config.yaml
# render to stdout and pipe onward
op inject -i .env.tpl | docker compose --env-file /dev/stdin up

Options

FlagWhat it does
-i, --in-file <path>Template file to read (default stdin)
-o, --out-file <path>Where to write the rendered output (default stdout)
-f, --forceOverwrite the output file without prompting
--account <account>Select which account to use
OP_SERVICE_ACCOUNT_TOKENService account token for non-interactive auth

In CI

Add -f so the render does not hang on an overwrite prompt when the output file already exists. Write the rendered file into a temp path outside the repo checkout and clean it up after use so plaintext is not accidentally committed or cached.

Common errors in CI

"you are not currently signed in" means OP_SERVICE_ACCOUNT_TOKEN is missing. "isn't a valid secret reference" means a malformed op:// token in the template. If op inject prompts and stalls, the output file exists and -f was not passed.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →