1Password

Prerequisites

A 1Password account with a Connect Server deployed
A Connect Server token with access to the target vault
OP_CONNECT_HOST and OP_CONNECT_TOKEN set on the ev API server

What is 1Password Connect?

1Password Connect is a self-hosted REST API that gives your infrastructure access to 1Password vaults. It runs as a Docker container alongside your ev API server.

1Password Connect documentation

Step 1: Deploy Connect Server

docker run -d \
  -p 8080:8080 \
  -v /path/to/1password-credentials.json:/home/opuser/.op/1password-credentials.json \
  1password/connect-api:latest

Step 2: Configure Credentials

Set these on the ev API server:

OP_CONNECT_HOST=http://localhost:8080
OP_CONNECT_TOKEN=your-connect-token

Step 3: Connect

ev backend set 1password --vault-name "Engineering" --prefix ev/

Step 4: Import Existing Secrets

ev import 1password --vault-name "Engineering" --prefix ev/ --env prod

How Secrets Are Stored

Each secret is stored as a 1Password item in the specified vault:

{prefix}{env-name}/{KEY}

For example, with prefix ev/ and environment prod:

ev/prod/DB_HOST
ev/prod/DB_PORT

Each item is a Login item with a single concealed field named value.

Limitations

No rollback: ev doesn't store values for external backends
No E2E encryption: Secrets stored in 1Password's encryption (which is strong, but not ev's E2E)
Connect Server required: You need to deploy and maintain the 1Password Connect Server
OP_CONNECT_TOKEN required: The API server needs a valid token

1Password

On this page