[martijnarts]

I've mostly used the 1Password CLI. A simple `op inject .env.template > .env` (off the top of my head) and done!

[tomknig]

Also using 1Password and I think it’s great. If possible, I would suggest to avoid plaintext secrets in files though. Instead, it is possible to store references to secrets in a dotenv file (example: .env.development): DATABASE_URL=op://development/database/url

and use op run to inject the secrets into a subprocess instead of storing them in a file: op run --env-file="./.env.development" -- cargo run

[martijnarts]

I love that, that's much better! Thanks!

[timwis]

But doesn’t that still write the secrets to disk? I thought the point of 1pass CLI was so you could avoid having unencrypted secrets on disk?

[surething]

An alternative is using `direnv` and `.envrc` instead:

export TOKEN=$(op item get 'My Service' --fields label=token --vault workwork)

[moltar]

Why not just use op run? It auto replaces references with values.