Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 024ddf52b0
Branches Tags
helm-externa...
/
docs
/
provider
/
1password-sdk.md

1password-sdk.md 2.7 KB
History Raw

1Password Secrets with SDK

1Password released developer SDKs to ease the usage of the secret provider without the need for any external devices. This provides a much better user experience for automated processes without the need of the connect server.

Note: In order to use ESO with 1Password SDK, documents must have unique label names. Meaning, if there is a label that has the same title as another label we won't know which one to update and an error is thrown: found multiple labels with the same key.

Store Configuration

A store is per vault. This is to prevent a single ExternalSecret potentially accessing ALL vaults.

A sample store configuration looks like this:

{% include '1passwordsdk-secret-store.yaml' %}

Client-Side Caching

Optional client-side caching reduces 1Password API calls. Configure TTL and cache size in the store:

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: 1password-cached
spec:
  provider:
    onepasswordSDK:
      vault: production
      auth:
        serviceAccountSecretRef:
          name: op-token
          key: token
      cache:
        ttl: 5m      # Optional, default: 5m
        maxSize: 100 # Optional, default: 100

Caching applies to read operations (GetSecret, GetSecretMap). Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.

!!! warning "Experimental"

This is an experimental feature and if too long of a TTL is set, secret information might be out of date.

GetSecret

Valid secret references should use the following key format: <item>/[section/]<field>.

This is described here: Secret Reference Syntax.

For a one-time password use the following key format: <item>/[section/]one-time password?attribute=otp.

{% include '1passwordsdk-external-secret.yaml' %}

PushSecret

Pushing a secret is also supported. For example a push operation with the following secret:

apiVersion: v1
kind: Secret
metadata:
  name: source-secret
stringData:
  api-key: "my-api-key"
  api-url: "https://example.com/api"

Looks like this:

{% include '1passwordsdk-push-secret.yaml' %}

Once all fields of a secret are deleted, the entire secret is deleted if the PushSecret object is removed and policy is set to delete.

To sync the entire secret into a single 1Password item, the following configuration can be used:

{% include '1passwordsdk-push-secret-all-keys.yaml' %}

Supported Functionality

Please check the documentation on 1password for Supported Functionality.