Skip to main content

Secret Management

We use 1Password to manage secrets across all environments (development, staging, production). Secrets can be automatically or manually injected, depending on your workflow.
Future Plan: We aim to migrate to a more robust secrets management solution like Infisical

Automatic Secret Injection (via op run)

If the environment variable OP_RUN=1 is set, secrets will be fetched from 1Password automatically at startup using op run: This ensures that secrets are always up to date each time the app starts. This method is recommended for most workflows. If OP_RUN is not set, the app will start without automatically fetching secrets. In that case, you are responsible for keeping your .env files updated using the manual method below.

Manual Secret Injection

Use the following Moon task to manually inject secrets: 
moon :inject-secrets
This command:
  1. Scans for projects with a .env.vault file.
  2. Replaces placeholder references with actual values from 1Password.
  3. Outputs the resolved secrets to a .env file in each project directory.
Run this when:
  • A secret is added or updated in 1Password.
  • You’re working without OP_RUN=1.
After updating secrets, notify the team via Slack so they can run the same command

Managing Secrets

Updating an Existing Secret

  1. Update the secret in 1Password.
  2. Run moon :inject-secrets.
  3. Notify the team.

Adding a New Secret

  1. Add the secret to 1Password under the same key for development, staging, and production.
  2. Run moon :inject-secrets locally.
  3. Inform the team to update their environments.

Staging & Production

Secrets are automatically injected into staging and production workloads using op run, ensuring up-to-date secrets at every startup without manual intervention.
When secrets are added or updated for staging or production, make sure to restart the affected service(s) so the new secrets are picked up.