Long time no TIL but this is a good one. Today I learned that my beloved password manager 1Password offers a CLI that is able to inject secrets into environment variables.
The benefits are obvious. You don't need to worry about committing your .env or config files to your project repository. Furthermore there are no unencrypted secrets stored in your files.


To get going you need 1Password set up and the 1Password-CLI (brew install 1password-cli) installed.

Within your project you are now able to inject secrets like so:

First add a .env-File to your project dir.

SECRET="op://<vault>/<login name>/<field>"

To inject the secrets at runtime just hit: op run --env-file and append your bin-command to use the environment vars. This following example just prints out the SECRET-var.

$ op run --env-file="my-config.env" -- printenv SECRET
<concealed by 1Password>

The first time you try to run op you might need to login to your 1Password account.

$ eval $(op signin)
Enter the password for <account> at <org>.1password.com:


Additional information is available at the 1Password docs. It is also possible to inject secrets into yaml files and so on.