feat: add 1Password SecretsProvider#18
Merged
klaidliadon merged 10 commits intomasterfrom Apr 30, 2026
Merged
Conversation
- Move existing example to cmd/gcp/main.go - Add cmd/onepassword/main.go for the new 1Password provider - Replace `make run` with `make run-gcp` and `make run-onepassword`
The Go SDK (github.com/1password/onepassword-sdk-go) requires service account tokens, available only on 1Password Business. Shelling out to the `op` CLI works on every plan and reuses whatever auth the CLI is configured with — biometric desktop integration, `op signin` sessions, or service account tokens. - Drops the SDK and its WASM/wazero core (~10 MB binary impact) - Constructor no longer takes ctx (no client to set up) - README rewritten to explain CLI install and auth modes
NewSecretsProvider now takes context.Context and runs `op vault list` to fail fast if the CLI cannot authenticate. Misconfigured environments surface their auth errors at boot, not on the first secret fetch. `op vault list` is used instead of `op whoami` because the latter does not trigger biometric desktop integration and reports "not signed in" even when the CLI works fine via the desktop app. README expanded to walk through the install-quit-restart-toggle sequence required to enable biometric desktop integration on macOS.
klaidliadon
force-pushed
the
onepassword-provider
branch
from
75a4caf to
21615a2
Compare
Configures a default vault/item so callers can write `$SECRET:KEY` instead of `$SECRET:op://vault/item/KEY`. Useful for migrating configs that previously resolved bare names via the env provider. Resolution rule in FetchSecret: - Secret IDs starting with "op://" pass through unchanged. - Bare names get prepended with "op://<defaultVault>/<defaultItem>/". - Bare names without a configured default path return an explicit error rather than producing a malformed URI for op read.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
onepasswordprovider that resolvesop://<vault>/<item>/<field>references by shelling out to theopCLI. Plan-agnostic — works on Personal, Teams, and Business — and reuses whatever auth the CLI is configured with (biometric desktop integration,op signinsession, orOP_SERVICE_ACCOUNT_TOKEN).WithDefaultPath(vault, item): callers configured with a default path can write$SECRET:KEYinstead of$SECRET:op://.... Drop-in for configs migrating from theenvprovider's$SECRET:KEYformat.gcpandenvso docs are uniform; root README becomes a thin index linking to each provider's README._examplesinto per-provider binaries (cmd/gcp/,cmd/onepassword/) with matchingmake run-gcp/make run-onepasswordtargets.Why a CLI wrapper instead of the Go SDK
We initially tried
github.com/1password/onepassword-sdk-gobut it's overkill for this use case:op signinsessions, with one auth path.wazero; CLI wrapper is plainos/exec.gcpprovider already shells out togcloudfor project-number resolution.Design notes
$SECRET:op://vault/item/field. Provider is stateless beyond the locatedopbinary.WithDefaultPath(vault, item). With it set, bare names like$SECRET:KEYresolve asop://<vault>/<item>/KEY. Bare names without a configured default error out explicitly rather than producing a malformed URI.op. No env vars, no constructor knobs.NewSecretsProvider(ctx)runsop vault listto fail fast if the CLI cannot authenticate. (op whoamiis not used — it doesn't trigger biometric desktop integration and reports "not signed in" even when the CLI works fine.)eval "$(op signin)"skips the prompt for batch contexts.Close(): there's no persistent resource to release.NewSecretsProvider(ctx)) stays untouched and future knobs can be added without breaking signatures.Verification
go build ./...✓make test✓ (existing tests pass; no new tests — matches the existing pattern of untested SDK/CLI-wrapper providers)make lint✓ 0 issuesop://cloudsecrets-test/db/{username,password}viamake run-onepassword).Test plan
Steps to reproduce the smoke test are in onepassword/README.md → Try the example:
opCLI, enable desktop integration (or runeval "$(op signin)")op vault create/op item createsnippetcd _examples && make run-onepasswordtest-user/hunter2instead of$SECRET:op://...placeholders