1Password provider
Resolve secrets from shared 1Password vaults at runtime — no CLI tools to install, no credentials in YAML.
The 1Password provider uses the 1Password Go SDK and a service account token to fetch secrets on demand. Teams get centralized access control and audit logging from 1Password while Loom handles injection, file mounting, and redaction.
URI format
op://<vault>/<item-path>/<field>
| Segment | Description | Example |
|---|---|---|
<vault> | Vault name (case-sensitive) | Engineering |
<item-path> | One or more path segments identifying the item | deploy or services/loom/deploy |
<field> | Field name on the item | token, password, username |
Examples
| Reference | Vault | Item path | Field |
|---|---|---|---|
op://Engineering/deploy/token | Engineering | deploy | token |
op://Engineering/services/loom/deploy/token | Engineering | services/loom/deploy | token |
op://Platform/db/staging/password | Platform | db/staging | password |
Workflow usage
secrets:
DEPLOY_TOKEN:
ref: op://Engineering/deploy/token
DB_PASSWORD:
ref: op://Platform/db/staging/password
file: false
How resolution works
- Parse — Loom extracts
vault,item-path, andfieldfrom therefvalue. Query strings and fragments are rejected. - Authenticate —
OP_SERVICE_ACCOUNT_TOKENis read from the runtime environment. If it is missing or empty, resolution fails immediately. - Resolve — Loom initializes the 1Password Go SDK client and resolves the secret through the SDK API. No
opCLI binary is involved. - Inject — The returned bytes enter Loom's in-memory injection flow. Values are written to temp files (default) or placed directly in env vars, then registered with the redaction engine.
Runtime requirements
| Requirement | Detail |
|---|---|
OP_SERVICE_ACCOUNT_TOKEN | Exported in the shell that runs Loom |
| Vault access | The service account must have read access to the referenced vault(s) |
Resolution fails closed — secrets are never silently skipped.
Error codes
When resolution fails, Loom returns a deterministic error code:
| Error code | Trigger | What to check |
|---|---|---|
SECRETS_PROVIDER_UNAVAILABLE | Token missing/empty, or the SDK returns a non-recoverable authentication error | Verify OP_SERVICE_ACCOUNT_TOKEN is exported |
SECRETS_REF_INVALID | Malformed op:// reference (missing vault, item, or field; contains query/fragment) | Check URI format against the table above |
SECRETS_REF_NOT_FOUND | Vault, item, or field does not exist in 1Password | Confirm the path in 1Password matches the ref |
Security guarantees
- Secret values never appear in CLI output, logs, or receipts — all output is redacted.
- Credentials are never stored in workflow files — only
op://references. - Loom's redaction engine processes all resolved values before any output boundary.
- Only service account tokens are supported — interactive 1Password sign-in is not available.
Next steps
- Install and configure 1Password — set up authentication and validate your first secret.
- CLI commands — list vaults, create items, and rotate secrets from the terminal.
- 1Password in workflows — patterns for using
op://refs in workflow files. - All providers — compare 1Password with KeePass and environment passthrough.