Managing environment variables with 1Password CLI for local development

Prerequisites

Install the 1Password CLI:
```
brew install 1password-cli
```
Have a vault named ENV, or change the vault in the functions below.

1. Inject Secrets at Runtime with `openv`

openv reads a .env file, pulls the specified secrets from 1Password, and injects them as environment variables into a command’s runtime. This ensures secrets are never stored in plaintext.

Usage:

openv npm run dev
openv -f custom.env npm run dev

Features:

Supports custom .env file paths using the -f option.
Automatically logs in to 1Password if not already signed in.

Code:

function openv {
  local env_path=".env"
  while getopts "f:" opt; do
    case $opt in
      f) env_path="$OPTARG" ;;
      *) return 1 ;;
    esac
  done
  shift $((OPTIND-1))

  op whoami || eval $(op signin)
  op run --env-file="${env_path}" -- $@
}

2. Pull Secrets from 1Password with `oppull`

oppull retrieves secrets from a 1Password item and writes them to a .env file. It can output raw secret values or op:// references for use with the 1Password CLI.

Usage:

oppull projectname_local
oppull -f custom.env projectname_local
oppull -r projectname_local

Features:

Outputs secrets in raw format or as 1Password references
Allows specifying a custom .env file path
Handles 1Password authentication automatically

Code:

function oppull {
  local env_path=".env"
  local raw=false
  while getopts "f:r" opt; do
    case $opt in
      f) env_path="$OPTARG" ;;
      r) raw=true ;;
      *) return 1 ;;
    esac
  done
  shift $((OPTIND-1))

  [[ -z "$1" ]] && { echo "Please provide an item name"; return 1; }
  op whoami || eval $(op signin)

  if [ "$raw" = true ]; then
    op item get "$1" --format json | jq -r '.fields[] | select(.value != null) | "\(.label)=\(.value)"' > "$env_path"
  else
    op item get "$1" --format json | jq -r --arg item "$1" '.fields[] | select(.value != null) | "\(.label)=op://ENV/\($item)/\(.label)"' > "$env_path"
  fi

  echo "✨ Successfully wrote secrets to $env_path"
}

3. Push Secrets to 1Password with `oppush`

oppush saves environment variables from a .env file to a 1Password item, creating a secure backup of your secrets.

Usage:

oppush projectname_local
oppush -f custom.env projectname_local

Features:

Creates backups before overwriting existing items
Works with custom .env file paths
Stores environment variables as 1Password fields

Code:

function oppush {
  local env_path=".env"
  while getopts "f:" opt; do
    case $opt in
      f) env_path="$OPTARG" ;;
      *) return 1 ;;
    esac
  done
  shift $((OPTIND-1))

  [[ -z "$1" ]] && { echo "Please provide an item name"; return 1; }
  [[ ! -f "$env_path" ]] && { echo "❌ Environment file $env_path not found"; return 1; }
  op whoami || eval $(op signin)

  if op item get "$1" --vault ENV &>/dev/null; then
    echo "⚠️  Item '$1' already exists. Creating backup..."
    op item get "$1" --vault ENV --format json > "$1.backup.json"
  fi

  echo '{"title":"'$1'","category":"LOGIN","fields":[]}' > temp_item.json
  while IFS='=' read -r key value || [ -n "$key" ]; do
    [[ -z "$key" || "$key" == \#* ]] && continue
    value=$(echo "$value" | sed -e 's/^'//' -e 's/'$//')
    tmp=$(jq --arg k "$key" --arg v "$value" '.fields += [{"id": $k, "label": $k, "value": $v, "type": "CONCEALED"}]' temp_item.json)
    echo "$tmp" > temp_item.json
  done < "$env_path"

  op item create --vault ENV --template temp_item.json
  rm temp_item.json
  echo "✨ Successfully saved $env_path to 1Password as '$1'"
}

Wrapping Up

These Zsh functions make managing environment variables with 1Password both secure and efficient. By leveraging openv, oppull, and oppush, you can inject secrets into your workflow seamlessly, pull them from 1Password, and even back them up to your vault.

Add these functions to your ~/.zshrc to get started.

Prerequisites

Install the 1Password CLI:
```
brew install 1password-cli
```
Have a vault named ENV, or change the vault in the functions below.

1. Inject Secrets at Runtime with `openv`

openv reads a .env file, pulls the specified secrets from 1Password, and injects them as environment variables into a command’s runtime. This ensures secrets are never stored in plaintext.

Usage:

openv npm run dev
openv -f custom.env npm run dev

Features:

Supports custom .env file paths using the -f option.
Automatically logs in to 1Password if not already signed in.

Code:

function openv {
  local env_path=".env"
  while getopts "f:" opt; do
    case $opt in
      f) env_path="$OPTARG" ;;
      *) return 1 ;;
    esac
  done
  shift $((OPTIND-1))

  op whoami || eval $(op signin)
  op run --env-file="${env_path}" -- $@
}

2. Pull Secrets from 1Password with `oppull`

oppull retrieves secrets from a 1Password item and writes them to a .env file. It can output raw secret values or op:// references for use with the 1Password CLI.

Usage:

oppull projectname_local
oppull -f custom.env projectname_local
oppull -r projectname_local

Features:

Outputs secrets in raw format or as 1Password references
Allows specifying a custom .env file path
Handles 1Password authentication automatically

Code:

function oppull {
  local env_path=".env"
  local raw=false
  while getopts "f:r" opt; do
    case $opt in
      f) env_path="$OPTARG" ;;
      r) raw=true ;;
      *) return 1 ;;
    esac
  done
  shift $((OPTIND-1))

  [[ -z "$1" ]] && { echo "Please provide an item name"; return 1; }
  op whoami || eval $(op signin)

  if [ "$raw" = true ]; then
    op item get "$1" --format json | jq -r '.fields[] | select(.value != null) | "\(.label)=\(.value)"' > "$env_path"
  else
    op item get "$1" --format json | jq -r --arg item "$1" '.fields[] | select(.value != null) | "\(.label)=op://ENV/\($item)/\(.label)"' > "$env_path"
  fi

  echo "✨ Successfully wrote secrets to $env_path"
}

3. Push Secrets to 1Password with `oppush`

oppush saves environment variables from a .env file to a 1Password item, creating a secure backup of your secrets.

Usage:

oppush projectname_local
oppush -f custom.env projectname_local

Features:

Creates backups before overwriting existing items
Works with custom .env file paths
Stores environment variables as 1Password fields

Code:

function oppush {
  local env_path=".env"
  while getopts "f:" opt; do
    case $opt in
      f) env_path="$OPTARG" ;;
      *) return 1 ;;
    esac
  done
  shift $((OPTIND-1))

  [[ -z "$1" ]] && { echo "Please provide an item name"; return 1; }
  [[ ! -f "$env_path" ]] && { echo "❌ Environment file $env_path not found"; return 1; }
  op whoami || eval $(op signin)

  if op item get "$1" --vault ENV &>/dev/null; then
    echo "⚠️  Item '$1' already exists. Creating backup..."
    op item get "$1" --vault ENV --format json > "$1.backup.json"
  fi

  echo '{"title":"'$1'","category":"LOGIN","fields":[]}' > temp_item.json
  while IFS='=' read -r key value || [ -n "$key" ]; do
    [[ -z "$key" || "$key" == \#* ]] && continue
    value=$(echo "$value" | sed -e 's/^'//' -e 's/'$//')
    tmp=$(jq --arg k "$key" --arg v "$value" '.fields += [{"id": $k, "label": $k, "value": $v, "type": "CONCEALED"}]' temp_item.json)
    echo "$tmp" > temp_item.json
  done < "$env_path"

  op item create --vault ENV --template temp_item.json
  rm temp_item.json
  echo "✨ Successfully saved $env_path to 1Password as '$1'"
}

Wrapping Up

Add these functions to your ~/.zshrc to get started.

Prerequisites

1. Inject Secrets at Runtime with openv

Usage:

Features:

Code:

2. Pull Secrets from 1Password with oppull

Usage:

Features:

Code:

3. Push Secrets to 1Password with oppush

Usage:

Features:

Code:

Wrapping Up

Prerequisites

1. Inject Secrets at Runtime with openv

Usage:

Features:

Code:

2. Pull Secrets from 1Password with oppull

Usage:

Features:

Code:

3. Push Secrets to 1Password with oppush

Usage:

Features:

Code:

Wrapping Up

1. Inject Secrets at Runtime with `openv`

2. Pull Secrets from 1Password with `oppull`

3. Push Secrets to 1Password with `oppush`

1. Inject Secrets at Runtime with `openv`

2. Pull Secrets from 1Password with `oppull`

3. Push Secrets to 1Password with `oppush`