op read: Fetch a 1Password Secret by Reference
op read takes a 1Password secret reference like op://vault/item/field and prints the resolved secret value to stdout.
The 1Password CLI (op) turns vault items into script-consumable values. op read is the single-value primitive; in CI you authenticate with a service account token, not an interactive login.
What it does
op read resolves a single secret reference of the form op://<vault>/<item>/<field> to its plaintext value and writes it to stdout. It is the building block behind op inject and op run.
Common usage
export OP_SERVICE_ACCOUNT_TOKEN=ops_...
op read "op://CI/deploy-key/password"
# write a file field to disk
op read "op://CI/tls/certificate" --out-file cert.pemOptions
| Flag | What it does |
|---|---|
| <reference> | Secret reference op://vault/item/field |
| --out-file <path> | Write the value to a file instead of stdout |
| --no-newline | Do not append a trailing newline |
| --account <account> | Select which account to use |
| OP_SERVICE_ACCOUNT_TOKEN | Env var holding the service account token for non-interactive auth |
In CI
Set OP_SERVICE_ACCOUNT_TOKEN from a repository secret so op runs without an interactive session. Prefer op run or op inject over capturing values into shell variables, and never echo the output; pipe it straight into the file or tool that needs it and mask it in logs.
Common errors in CI
"[ERROR] authorization prompt dismissed, please try again" or "authorization ... required" appears when no service account token is set and no interactive session exists; export OP_SERVICE_ACCOUNT_TOKEN. "you are not currently signed in" means the same. "could not read secret 'op://...': isn't a valid secret reference" means a malformed op:// path or a field name that does not exist on the item.