Skip to content

1Password SDK

1Password Secrets with SDK

1Password released developer SDKs to ease the usage of the secret provider without the need for any external devices. This provides a much better user experience for automated processes without the need of the connect server.

Note: In order to use ESO with 1Password SDK, documents must have unique label names. Meaning, if there is a label that has the same title as another label we won't know which one to update and an error is thrown: found multiple labels with the same key.

Store Configuration

A store is per vault. This is to prevent a single ExternalSecret potentially accessing ALL vaults.

A sample store configuration looks like this:

---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: 1password-sdk
spec:
  provider:
    onepasswordSDK:
      vault: staging
      auth:
        serviceAccountSecretRef:
          name: onepassword-connect-token-staging
          key: token
      integrationInfo: # this is optional and defaulted
        name: integration-info
        version: v1

Client-Side Caching

Optional client-side caching reduces 1Password API calls. Configure TTL and cache size in the store:

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: 1password-cached
spec:
  provider:
    onepasswordSDK:
      vault: production
      auth:
        serviceAccountSecretRef:
          name: op-token
          key: token
      cache:
        ttl: 5m      # Optional, default: 5m
        maxSize: 100 # Optional, default: 100

Caching applies to read operations (GetSecret, GetSecretMap). Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.

Experimental

This is an experimental feature and if too long of a TTL is set, secret information might be out of date.

GetSecret

Valid secret references should use the following key format: <item>/[section/]<field>.

This is described here: Secret Reference Syntax.

For a one-time password use the following key format: <item>/[section/]one-time password?attribute=otp.

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: fetch-from-onepassword
spec:
  secretStoreRef:
    kind: SecretStore
    name: onepassword
  target:
    creationPolicy: Owner
  data:
    - secretKey: test-login-1
      remoteRef:
        key: test-login-1/username

PushSecret

Pushing a secret is also supported. For example a push operation with the following secret:

apiVersion: v1
kind: Secret
metadata:
  name: source-secret
stringData:
  api-key: "my-api-key"
  api-url: "https://example.com/api"

Looks like this:

---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-example # customizable
spec:
  deletionPolicy: Delete
  refreshInterval: 1h0m0s
  secretStoreRefs:
    - name: onepassword
      kind: SecretStore
  selector:
    secret:
      name: source-secret # Source Kubernetes secret
  data:
    - match:
        secretKey: api-key # Source Kubernetes secret key to be pushed
        remoteRef:
          remoteKey: 1pw-item-name     # 1Password item name
          property: password           # Field label within the 1Password item
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          tags: ["tag1", "tag2"]  # (Optional) tags on the 1Password item (item-level, not field-level)
                                  # Tags are shared across all fields of the same remoteKey — last write wins if entries differ
          fieldType: concealed    # (Optional) field type (default: concealed)
                                  # Accepted values (case-insensitive): text|string|concealed|password|url|email|phone|date|monthYear
    - match:
        secretKey: api-url
        remoteRef:
          remoteKey: 1pw-item-name     # Same 1Password item — adds a second field
          property: api-endpoint
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          fieldType: url

Once all fields of a secret are deleted, the entire secret is deleted if the PushSecret object is removed and policy is set to delete.

To sync the entire secret into a single 1Password item, the following configuration can be used:

---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-all-keys-example # customizable
spec:
  deletionPolicy: Delete
  refreshInterval: 1h0m0s
  secretStoreRefs:
    - name: onepassword
      kind: SecretStore
  selector:
    secret:
      name: source-secret # Source Kubernetes secret
  data:
    - match:
        remoteRef:
          remoteKey: 1pw-item-name-all-keys # 1Password item name, each Kubernetes secret key becomes a separate concealed field
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          tags: ["tag1", "tag2"]  # (Optional) tags on the 1Password item

Supported Functionality

Please check the documentation on 1password for Supported Functionality.