1password-direnv-secrets

Configures 1Password CLI with direnv for fast, secure credential loading. Activates for: 1Password + direnv setup, slow secrets (>2 sec), .env.op files, op:// references, AWS credentials via env vars, --reveal flag issues, repeated biometric prompts, creating 1Password items programmatically, op item get errors. Not for: 1Password GUI usage, SSH keys (use 1Password SSH agent).

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

1password-direnv-secrets is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using 1password-direnv-secrets should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/1password-direnv-secrets/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/devops/1password-direnv-secrets/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/1password-direnv-secrets/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How 1password-direnv-secrets Compares

Feature / Agent	1password-direnv-secrets	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 1Password CLI Secret Management

Secure credential management using 1Password CLI with zero plaintext secrets on disk.

## Quick Reference

| Use Case                    | Approach              | Details                                                           |
|-----------------------------|-----------------------|-------------------------------------------------------------------|
| All secrets (AWS, DB, APIs) | direnv + `op run`     | [Core Pattern](#core-pattern-direnv--op-run)                      |
| CI/CD automation            | Service account token | [Session Management](references/session-management.md)            |
| Creating items for users    | `op item create`      | [Programmatic Creation](references/programmatic-item-creation.md) |

**Key insight:** Secrets load once on `cd` and all subprocesses inherit them (standard Unix `fork()` behavior). One `op` call, no re-fetching.

---

## Core Pattern: direnv + op run

**Use `op run --env-file` NOT multiple `op read` calls.**

| Approach           | CLI Invocations | Load Time  |
|--------------------|-----------------|------------|
| Multiple `op read` | N per secret    | ~5 seconds |
| Single `op run`    | 1               | ~1 second  |

### Setup

**1. `.env.op`** (safe to commit - contains only `op://` references):

```bash
AWS_ACCESS_KEY_ID="op://Vault/Item/Access Key ID"
AWS_SECRET_ACCESS_KEY="op://Vault/Item/Secret Access Key"
DB_PASSWORD="op://Vault/Item/password"
```

**2. `.envrc`** (safe to commit - no secrets, just loader command):

```bash
direnv_load op run --env-file=.env.op --no-masking \
  --account=yourcompany.1password.com -- direnv dump
```

**3. Enable:** `direnv allow`

### Global Helper

Add to `~/.config/direnv/direnvrc`:

```bash
use_1password() {
  local env_file="${1:-.env.op}" account="${2:-yourcompany.1password.com}"
  [[ -f "$env_file" ]] && direnv_load op run --env-file="$env_file" \
    --no-masking --account="$account" -- direnv dump
}
```

Then `.envrc` becomes: `use 1password`

---

## Critical: The --reveal Flag

**Concealed fields require `--reveal` to get actual values.**

```bash
# WRONG - returns placeholder text, NOT the secret!
op item get "Item" --fields "Secret Access Key"
# Output: [use 'op item get xxx --reveal' to reveal]

# CORRECT - returns actual secret value
op item get "Item" --fields "Secret Access Key" --reveal
```

**Common symptom:** `SignatureDoesNotMatch` errors from AWS indicate the secret wasn't retrieved properly.

---

## Reducing Biometric Prompts

| Scenario             | Solution                   | Prompts              |
|----------------------|----------------------------|----------------------|
| Dev entering project | direnv + `op run`          | 1 on directory entry |
| CI/CD pipeline       | `OP_SERVICE_ACCOUNT_TOKEN` | 0                    |

**Key insight:** Sessions last 10 minutes with auto-refresh on each use. Keep 1Password desktop app unlocked and integrated with CLI.

> **Detailed strategies:** [references/session-management.md](references/session-management.md)

---

## Discovery Commands

```bash
op account list                                    # Find accounts
op vault list --account mycompany.1password.com    # Find vaults
op item list --account mycompany.1password.com     # Find items
```

> **Full reference:** [references/discovery-commands.md](references/discovery-commands.md) - field inspection, search patterns, debugging

---

## Creating Items Programmatically

For Claude Code workflows where Claude sets up infrastructure without handling raw secrets:

```bash
# Create item with placeholder values
op item create --category "API Credential" \
  --title "AWS Service-Name" \
  --vault "Private" \
  --account mycompany.1password.com \
  "Access Key ID[text]=REPLACE_ME" \
  "Secret Access Key[concealed]=REPLACE_ME"
```

User populates via 1Password app, then Claude continues with configuration.

> **Full pattern:** [references/programmatic-item-creation.md](references/programmatic-item-creation.md)

---

## What's Safe to Commit?

| File      | Safe? | Why                                                    |
|-----------|-------|--------------------------------------------------------|
| `.env.op` | Yes   | Contains only `op://` pointers                         |
| `.envrc`  | Yes   | No secrets - just loader command delegating to .env.op |
| `.env`    | Never | Contains actual secrets                                |

> The account name (e.g., `yourcompany.1password.com`) isn't sensitive - it's just an identifier. For team projects, everyone uses the same account anyway.

---

## Troubleshooting

| Error                         | Fix                                         |
|-------------------------------|---------------------------------------------|
| `SignatureDoesNotMatch` (AWS) | Add `--reveal` for concealed fields         |
| `op: command not found`       | `brew install --cask 1password-cli`         |
| `could not find item`         | Names are case-sensitive; verify exact name |

> **Full troubleshooting:** [references/session-management.md#troubleshooting-excessive-prompts](references/session-management.md#troubleshooting-excessive-prompts)

---

## Prerequisites

```bash
# Install 1Password CLI (v2.18.0+ for service accounts)
brew install --cask 1password-cli

# Install direnv (for env var approach)
brew install direnv
echo 'eval "$(direnv hook zsh)"' >> ~/.zshrc

# Sign in and integrate with desktop app
op signin --account=yourcompany.1password.com

# Verify integration
op whoami
```

**Required:** 1Password desktop app with CLI integration enabled (Settings → Developer → CLI Integration).

---

## Detailed References

- [Session Management](references/session-management.md) - Minimizing prompts, service accounts, CI/CD
- [Discovery Commands](references/discovery-commands.md) - Finding accounts, vaults, items, fields
- [Programmatic Item Creation](references/programmatic-item-creation.md) - Claude Code workflow patterns

Related Skills

secrets

from diegosouzapw/awesome-omni-skill

Enforce secure secrets management across all platforms. Never hardcode OAuth2 secrets, API keys, tokens, passwords, or credentials in source code. Store all secrets in .env files, load from environment variables, and ensure .env is gitignored. Use this skill when: (1) writing any code that uses API keys, OAuth2 client secrets, tokens, or credentials, (2) setting up authentication or third-party integrations, (3) creating new projects that need environment configuration, (4) reviewing code for security issues related to secrets, (5) configuring CI/CD pipelines or Docker deployments with secrets. Triggers: API key, OAuth, client secret, token, credentials, .env, environment variables, secret, password, authentication setup, third-party integration.

secrets-management

from diegosouzapw/awesome-omni-skill

Implement secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, or native platform solutions. Use when handling sensitive credentials, rotating secrets, or securing CI/CD ...

dotnet-secrets-management

from diegosouzapw/awesome-omni-skill

Manages secrets and sensitive config. User secrets, environment variables, rotation.

azure-keyvault-secrets-rust

from diegosouzapw/awesome-omni-skill

Azure Key Vault Secrets SDK for Rust. Use for storing and retrieving secrets, passwords, and API keys. Triggers: "keyvault secrets rust", "SecretClient rust", "get secret rust", "set secret rust".

direnv

from diegosouzapw/awesome-omni-skill

Direnv environment management for automatic per-project shell configuration. Use when setting up .envrc files, configuring project-specific environment variables, or integrating direnv with development tools like nix, asdf, pyenv, or nvm.

azure-security-keyvault-secrets-java

from diegosouzapw/awesome-omni-skill

Azure Key Vault Secrets Java SDK for secret management. Use when storing, retrieving, or managing passwords, API keys, connection strings, or other sensitive configuration data.

azure-keyvault-secrets-ts

from diegosouzapw/awesome-omni-skill

Manage secrets using Azure Key Vault Secrets SDK for JavaScript (@azure/keyvault-secrets). Use when storing and retrieving application secrets or configuration values.

deleting-op-secrets

from diegosouzapw/awesome-omni-skill

Deletes or archives secrets in 1Password using the op CLI. Use when the user needs to permanently remove items, archive deprecated credentials, or clean up unused secrets from 1Password vaults. Supports both permanent deletion and archiving for later recovery.

1password

from diegosouzapw/awesome-omni-skill

Plan, validate, and use 1Password CLI setup for secret injection and auth. Use when tasks need 1Password CLI usage, secret references, op run/read/inject, or provisioning secrets via env vars/.env files and scripts.

bgo

from diegosouzapw/awesome-omni-skill

Automates the complete Blender build-go workflow, from building and packaging your extension/add-on to removing old versions, installing, enabling, and launching Blender for quick testing and iteration.

Coding & Development

google-docs-manager

from diegosouzapw/awesome-omni-skill

Expert in Google Docs management. Use when creating, reading, updating, formatting, or managing Google Docs with markdown support, advanced formatting, tables with full manipulation, images with styling, lists, headers/footers, and table of contents.

genesis-tools:living-docs

from diegosouzapw/awesome-omni-skill

Self-maintaining documentation system. Bootstraps, validates, refines, and optimizes codebase documentation. Creates minimal, token-efficient doc chunks. Use when creating, updating, or auditing project documentation.