op run: Inject 1Password Secrets into a Command
op run loads an env file whose values are op:// references, resolves them, and executes the given command with the secrets in its environment.
op run is the recommended way to feed 1Password secrets to a process in CI: the env file holds references (safe to commit), and op resolves them at runtime into the child process only.
What it does
op run reads an env file where values are secret references, resolves each op:// reference, and runs the subcommand after -- with those variables exported into its environment. The plaintext lives only in the child process, never on disk.
Common usage
# .env contains: DB_PASSWORD=op://CI/db/password
export OP_SERVICE_ACCOUNT_TOKEN=ops_...
op run --env-file .env -- ./deploy.sh
op run --env-file .env -- npm run migrateOptions
| Flag | What it does |
|---|---|
| --env-file <path> | Env file whose values may be op:// references |
| --no-masking | Do not mask resolved secrets in the child stdout/stderr |
| --account <account> | Select which account to use |
| -- <command> | The command to run with secrets injected |
| OP_SERVICE_ACCOUNT_TOKEN | Service account token for non-interactive auth |
In CI
Commit the env file of references, not the secrets. op run masks resolved secrets in the child output by default; keep that on in CI so values do not leak into logs. Authenticate with OP_SERVICE_ACCOUNT_TOKEN rather than op signin.
Common errors in CI
"you are not currently signed in" or "authorization ... required" means OP_SERVICE_ACCOUNT_TOKEN is unset. "error resolving secret reference ... isn't a valid secret reference" means a bad op:// path in the env file. If the child sees an empty value, the referenced field name is wrong or the service account lacks access to that vault.