Back to Skills

1password-direnv-secrets

verified

Configures 1Password CLI with direnv for fast, secure credential loading. Activates for: 1Password + direnv setup, slow secrets (>2 sec), .env.op files, op:// references, AWS credentials via env vars, --reveal flag issues, repeated biometric prompts, creating 1Password items programmatically, op item get errors. Not for: 1Password GUI usage, SSH keys (use 1Password SSH agent).

View on GitHub

Marketplace

cf-devtools

clearfunction/cf-devtools

Plugin

cf-devtools

Repository
Verified Org

clearfunction/cf-devtools
2stars

skills/1password-direnv-secrets/SKILL.md

Last Verified

January 21, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/clearfunction/cf-devtools/blob/main/skills/1password-direnv-secrets/SKILL.md -a claude-code --skill 1password-direnv-secrets

Installation paths:

Claude
.claude/skills/1password-direnv-secrets/
Powered by add-skill CLI

Instructions

# 1Password CLI Secret Management

Secure credential management using 1Password CLI with zero plaintext secrets on disk.

## Quick Reference

| Use Case                    | Approach              | Details                                                           |
|-----------------------------|-----------------------|-------------------------------------------------------------------|
| All secrets (AWS, DB, APIs) | direnv + `op run`     | [Core Pattern](#core-pattern-direnv--op-run)                      |
| CI/CD automation            | Service account token | [Session Management](references/session-management.md)            |
| Creating items for users    | `op item create`      | [Programmatic Creation](references/programmatic-item-creation.md) |

**Key insight:** Secrets load once on `cd` and all subprocesses inherit them (standard Unix `fork()` behavior). One `op` call, no re-fetching.

---

## Core Pattern: direnv + op run

**Use `op run --env-file` NOT multiple `op read` calls.**

| Approach           | CLI Invocations | Load Time  |
|--------------------|-----------------|------------|
| Multiple `op read` | N per secret    | ~5 seconds |
| Single `op run`    | 1               | ~1 second  |

### Setup

**1. `.env.op`** (safe to commit - contains only `op://` references):

```bash
AWS_ACCESS_KEY_ID="op://Vault/Item/Access Key ID"
AWS_SECRET_ACCESS_KEY="op://Vault/Item/Secret Access Key"
DB_PASSWORD="op://Vault/Item/password"
```

**2. `.envrc`** (safe to commit - no secrets, just loader command):

```bash
direnv_load op run --env-file=.env.op --no-masking \
  --account=yourcompany.1password.com -- direnv dump
```

**3. Enable:** `direnv allow`

### Global Helper

Add to `~/.config/direnv/direnvrc`:

```bash
use_1password() {
  local env_file="${1:-.env.op}" account="${2:-yourcompany.1password.com}"
  [[ -f "$env_file" ]] && direnv_load op run --env-file="$env_file" \
    --no-masking --account="$account" -- direnv dump
}
```

Then `.envrc` becomes: `use 1p

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
5406 chars