Skip to content
Latchkey

op read: Fetch a 1Password Secret by Reference

op read takes a 1Password secret reference like op://vault/item/field and prints the resolved secret value to stdout.

The 1Password CLI (op) turns vault items into script-consumable values. op read is the single-value primitive; in CI you authenticate with a service account token, not an interactive login.

What it does

op read resolves a single secret reference of the form op://<vault>/<item>/<field> to its plaintext value and writes it to stdout. It is the building block behind op inject and op run.

Common usage

Terminal
export OP_SERVICE_ACCOUNT_TOKEN=ops_...
op read "op://CI/deploy-key/password"
# write a file field to disk
op read "op://CI/tls/certificate" --out-file cert.pem

Options

FlagWhat it does
<reference>Secret reference op://vault/item/field
--out-file <path>Write the value to a file instead of stdout
--no-newlineDo not append a trailing newline
--account <account>Select which account to use
OP_SERVICE_ACCOUNT_TOKENEnv var holding the service account token for non-interactive auth

In CI

Set OP_SERVICE_ACCOUNT_TOKEN from a repository secret so op runs without an interactive session. Prefer op run or op inject over capturing values into shell variables, and never echo the output; pipe it straight into the file or tool that needs it and mask it in logs.

Common errors in CI

"[ERROR] authorization prompt dismissed, please try again" or "authorization ... required" appears when no service account token is set and no interactive session exists; export OP_SERVICE_ACCOUNT_TOKEN. "you are not currently signed in" means the same. "could not read secret 'op://...': isn't a valid secret reference" means a malformed op:// path or a field name that does not exist on the item.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →