op inject: Render Templates with 1Password Secrets
op inject reads a template containing op:// references and writes it back with each reference replaced by the resolved secret.
Where op run injects into a process environment, op inject fills in a config file or manifest. It is handy for rendering .env, kubeconfig, or app config from a checked-in template.
What it does
op inject scans its input for op://<vault>/<item>/<field> references and replaces each with the resolved secret value, writing the rendered result to stdout or a file. The template with references is safe to commit; the rendered output is not.
Common usage
export OP_SERVICE_ACCOUNT_TOKEN=ops_...
op inject -i config.tpl -o config.yaml
# render to stdout and pipe onward
op inject -i .env.tpl | docker compose --env-file /dev/stdin upOptions
| Flag | What it does |
|---|---|
| -i, --in-file <path> | Template file to read (default stdin) |
| -o, --out-file <path> | Where to write the rendered output (default stdout) |
| -f, --force | Overwrite the output file without prompting |
| --account <account> | Select which account to use |
| OP_SERVICE_ACCOUNT_TOKEN | Service account token for non-interactive auth |
In CI
Add -f so the render does not hang on an overwrite prompt when the output file already exists. Write the rendered file into a temp path outside the repo checkout and clean it up after use so plaintext is not accidentally committed or cached.
Common errors in CI
"you are not currently signed in" means OP_SERVICE_ACCOUNT_TOKEN is missing. "isn't a valid secret reference" means a malformed op:// token in the template. If op inject prompts and stalls, the output file exists and -f was not passed.