This guide covers the setup and configuration of 1Password service accounts for secure secret management in Claude Code workflows.
- 1Password Business account with service account support
- Administrative access to create service accounts
- Windows environment with PowerShell 7+
- Sign in to 1Password Business console
- Navigate to Integrations → Service Accounts
- Click Create Service Account
- Configure:
- Name:
Claude-Code-DevOps - Description:
Service account for Claude Code Azure DevOps integration - Vaults: Select vaults containing development secrets
- Name:
- After creating the service account, copy the generated token
- CRITICAL: This token is shown only once - store it securely
- The token format:
ops_xxx_xxxxxxxxxxxxxxxxxxxxxxxxxx
Important: Store the service account token itself in 1Password for team access:
- Create new item in 1Password:
- Title:
Claude Code Service Account Token - Type: Password
- Password Field: Paste the service account token
- Notes: Include vault access details and creation date
- Title:
Set the service account token as a user environment variable:
# Set user environment variable (recommended)
[Environment]::SetEnvironmentVariable("OP_SERVICE_ACCOUNT_TOKEN", "ops_xxx_xxxxxxxxxxxxxxxxxxxxxxxxxx", "User")
# Verify the variable is set
$env:OP_SERVICE_ACCOUNT_TOKENFor system-wide access (requires Administrator privileges):
# Set system environment variable
[Environment]::SetEnvironmentVariable("OP_SERVICE_ACCOUNT_TOKEN", "ops_xxx_xxxxxxxxxxxxxxxxxxxxxxxxxx", "Machine")winget install AgileBits.1Password.CLIop --version# Test service account authentication
op vault list
# Should show accessible vaults without additional authentication- DevOps-Development: Development environment secrets
- DevOps-Staging: Staging environment secrets
- DevOps-Production: Production environment secrets
- Team-Shared: Shared development tools and services
Use consistent naming for easy retrieval:
Azure-DevOps-PAT-Development
Azure-DevOps-PAT-Production
SQL-Connection-Development
SQL-Connection-Production
- Rotation Schedule: Rotate service account tokens quarterly
- Access Review: Review vault access permissions monthly
- Audit Logging: Monitor service account usage in 1Password
- Use separate service accounts for different environments
- Limit vault access to minimum required secrets
- Never share service account tokens between team members
Common issues and solutions:
# Check if token is set
if (-not $env:OP_SERVICE_ACCOUNT_TOKEN) {
Write-Error "OP_SERVICE_ACCOUNT_TOKEN environment variable not set"
exit 1
}
# Test connectivity before using
try {
op vault list | Out-Null
Write-Host "1Password authentication successful"
} catch {
Write-Error "1Password authentication failed: $_"
exit 1
}- Grant access to appropriate vaults in 1Password Business
- Provide this setup documentation
- Verify they can retrieve test secrets
- Document their access in team records
Store common configurations in 1Password items:
- Database connection strings (without credentials)
- API endpoint URLs
- Configuration templates
- Environment-specific settings
Token not recognized:
- Verify environment variable is set correctly
- Check token format (should start with
ops_) - Ensure service account has vault access
Authentication failures:
- Verify 1Password CLI is installed and updated
- Check network connectivity
- Validate service account status in 1Password console
Permission denied errors:
- Review vault permissions for service account
- Check item-level access restrictions
- Verify vault sharing settings
- Check 1Password CLI documentation:
op --help - Review 1Password Business console logs
- Test with minimal vault access first
- Contact 1Password support for service account issues
After completing this setup:
- Review the Secrets Reference for available secrets
- Test secret retrieval in Azure DevOps workflows
- Configure automated secret rotation if required
- Document any custom secret patterns for your team