A Docker Secret driver for 1Password Connect
This Docker Secret driver plugin integrates with 1Password Connect server to securely manage secrets in Docker Swarm.
- Docker Engine with Swarm mode enabled
- Docker Secret driver support
- 1Password Connect server setup and running
- 1Password Connect Token
1password-credentials.jsonfile in data/1password-credentials.json
Note: Unix socket creation is only supported on Linux and FreeBSD due to limitations in the "go-plugins-helpers" package.
The SDK requires these environment variables to connect to 1Password Connect:
OP_CONNECT_HOST: URL of your 1Password Connect serverOP_CONNECT_TOKEN: Your 1Password Connect authentication token
Set them as Docker plugin configuration
docker plugin set op-connect-secret-driver:latest OP_CONNECT_HOST=http://localhost:17450
docker plugin set op-connect-secret-driver:latest OP_CONNECT_TOKEN=your-1password-connect-tokenThe plugin supports two ways to reference secrets:
- Individual fields using
vault,item, and optionalfieldprovided as secret labels - 1Password URL format using the
refas secret label in the formatop://vault/item/field(that you can copy from 1Password directly)
Notes:
- The
fieldparameter is optional and defaults to "password" if not specified - The plugin can retrieve both field values and file contents from 1Password items
- All configuration is done through labels
Example Docker Compose configurations:
# Option 1: Using individual fields
secrets:
db_password:
driver: op-connect-secret-driver
labels:
vault: "your-vault-uuid-or-name" # Required: Vault UUID or name
item: "your-item-uuid-or-name" # Required: Item UUID or name
field: "password" # Optional: Defaults to "password"
# Option 2: Using 1Password URL reference
secrets:
db_password:
driver: op-connect-secret-driver
labels:
ref: "op://vault-name/item-name/field-name" # Required: 1Password URL formatThe CI pipeline automatically builds and publishes the plugin to Docker Hub. You can use this command to install the plugin:
docker plugin install clementmouchet/op-connect-secret-driver:linux-amd64 \
--grant-all-permissions \
--alias op-connect-secret-driver \
--disabledocker plugin install clementmouchet/op-connect-secret-driver:linux-arm64 \
--grant-all-permissions \
--alias op-connect-secret-driver \
--disableYou can also develop, build your own and install it locally.
docker compose build op-connect-secret-driver
docker compose up -d op-connect-secret-driver
docker compose cp op-connect-secret-driver:/op-connect-secret-driver plugin/rootfs/op-connect-secret-driver
docker compose stop op-connect-secret-driver && docker compose rm -f op-connect-secret-drivergo build -o plugin/rootfs/op-connect-secret-driverThere's an install.sh script for this.
./install.sh- Create the plugin:
docker plugin create op-connect-secret-driver plugin- Configure the plugin:
docker plugin set op-connect-secret-driver:latest OP_CONNECT_HOST=http://localhost:17450
docker plugin set op-connect-secret-driver:latest OP_CONNECT_TOKEN=your-1password-connect-token- Start 1Password Connect services:
docker compose up op-connect-api- Enable the plugin:
docker plugin enable op-connect-secret-driver:latestTo modify plugin settings, first disable:
docker plugin disable op-connect-secret-driver:latestTo modify plugin code, first remove it, build it and start the installation process again.:
docker plugin remove op-connect-secret-driver:latest- Verify plugin status:
docker plugin ls- Check plugin logs (syslog) or inspect it:
docker plugin inspect op-connect-secret-driver:latest- Verify configuration:
docker plugin inspect op-connect-secret-driver:latest -f "{{ .Settings.Env }}"- Ensure 1Password Connect server is accessible at the configured host