Securing CI/CD pipelines with 1Password Service Accounts

Securing CI/CD pipelines with 1Password Service Accounts

Michael Carey by Michael Carey on

Attention developers and DevOps teams! Today we’re excited to announce that 1Password Service Accounts are now generally available to all users. Whether you’re a growing startup, a thriving mid-size company, or a sprawling enterprise, service accounts offer a secure, automated way to access infrastructure secrets exactly where they’re needed.

This post will guide you through integrating service accounts with GitHub Actions, one of the leading CI/CD platforms, to secure your secrets within your pipelines. We also offer pre-built integrations for CircleCI and Jenkins.

Managing secrets in shared environments is challenging

We all know that secrets management can be tough, especially in shared environments. With the stakes so high, it’s essential to keep secrets secure and ensure they don’t end up in the wrong place, like logs or code repositories.

With service accounts and the CLI, you can encrypt all of your secrets in 1Password and grant applications programmatic access, with the ability to control which vaults are accessible and which actions the service account can perform. This helps reduce secrets sprawl across your organization by securing your secrets in a single place and eliminating hard-coded secrets.

There’s no need to spin up additional infrastructure, and rotating secrets and securely collaborating with your team is much more convenient.

GitHub Actions integration: automating secrets management

To illustrate how service accounts can streamline your workflow, let’s look at our integration with GitHub Actions. This integration allows you to load secrets from 1Password directly into your GitHub Actions runner, providing an easy way to manage secrets in a single source of truth and eliminating the risk of exposing plaintext secrets in code.

Configuring the action for enhanced security

Using the GitHub Actions integrations with service accounts is simple. Start by creating a service account in 1Password and then set the OP_SERVICE_ACCOUNT_TOKEN environment variable in GitHub to the service account token. This will give the GitHub Actions runner access to 1Password.

Next, set up a workflow YAML file that specifies the secrets to be loaded into your job. An example configuration might look like:

on: push
    runs-on: ubuntu-latest
      - uses: actions/checkout@v3

      - name: Load secret
        uses: 1password/load-secrets-action@v1
          # Export loaded secrets as environment variables
          export-env: true
          SECRET: op://app-cicd/hello-world/secret

      - name: Print masked secret
        run: echo "Secret: $SECRET"
        # Prints: Secret: ***

With this setup, your secrets are secure and accessible only when needed within your CI/CD pipelines.

Get started with 1Password Service Accounts

Service accounts help dev teams manage their secrets more securely and efficiently. The integration with GitHub Actions is just one example of how this feature can be leveraged to automate secrets management, enhance security, and improve the efficiency of CI/CD pipelines. Check out the service accounts documentation to get started.

Get started with 1Password Service Accounts

Secure secrets and programmatically access them in your apps – without deploying additional infrastructure.
Explore the documentation

Senior Product Manager

Michael Carey - Senior Product Manager Michael Carey - Senior Product Manager

Tweet about this post