Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
HashiCorp recently announced it will be sunsetting HCP Vault Secrets on August 30, 2025, prompting many developer and DevOps teams to start planning for a migration. If you or your team is navigating this transition, 1Password is here to help with the process of moving to a new secrets platform. This blog post provides a practical, technical guide to migrating your secrets from HCP Vault Secrets to 1Password’s secret management tools.
How 1Password supports a modern dev workflow
When considering a new secrets manager, it's important to evaluate how it fits into your existing toolchain. Here are just a few ways 1Password is designed for developers:
- Powerful Command-Line Interface: Our op CLI is a first-class tool that lets you manage secrets, provision users, and integrate with your scripts and CI/CD pipelines directly from the terminal.
- Official SDKs: For deeper integration, we offer official SDKs for Go, Python, and TypeScript. This allows you to fetch secrets securely and natively within your application code, eliminating the need to expose secrets as environment variables.
- Hybrid on-premise and cloud access: 1Password Connect is a self-hosted REST service that provides a secure bridge between your on-premise applications and the 1Password cloud. You get the security of local network access with the reliability and convenience of a fully managed cloud service.
- Centralized management: A clear administration console makes it simple to manage access, permissions, and policies for your entire organization, ensuring everyone has access to the secrets they need, and nothing more.
Recently released: 1Password environments (beta)
We’ve recently released 1Password environments (beta), which syncs 1Password vaults to cloud infrastructure like AWS.
In addition to this new beta feature, you can use the 1Password Command Line Integration (CLI) for programmatic, bulk migrations.
Explore 1Password Environments and our AWS integration.
A practical script to get you started
To support your migration, we've created a script that automates the process of exporting secrets from HashiCorp Vault and importing them into 1Password.
Prerequisites:
- HashiCorp Vault CLI: Ensure it's installed and you're authenticated to your Vault instance. Read instructions.
- 1Password CLI: Install and configure the CLI.
- A Target Vault in 1Password: Create a new vault in your 1Password account where the migrated secrets will be stored.
- Python 3.9 or newer.
Important note on account types
Developer tools like the 1Password CLI, SDKs, and 1Password Connect are available with all 1Password account types including Personal, Business, Teams, and Families.
Migration script
This script reads secret paths from a local file, fetches the corresponding data from HashiCorp Vault, and recreates it within 1Password as a new item.
README
Hashicorp Vault Secrets 1Password Migration Script
This script provides a starting point for migrating your HCP Vault Secrets data to 1Password.
- All secrets from one HCP Vault Secrets app will be written to a single vault of your choosing.
- You can run the script multiple times for each HCP Vault Secrets Migration you're migrating. Each time you run it you can choose the destination vault.
- This script has only been tested with static secrets. It has not been tested with Dynamic or auto-rotating secrets.
Instructions
- Follow the HCP CLI setup instructions, selecting the Organization and Application you want to migrate.
- Sign into your 1Password account using the CLI with op signin (documentation)
- In your terminal, execute the script (e.g., py hcp_migration.py).
Options
- --vault (required): The name or UUID of the vault you want to migrate your secrets into.
Notes
This script has only been tested with Static secrets in Vault Secrets. It does not currently support Dynamic or Auto-rotating secrets.
import subprocess
import json
import argparse
import logging
import sys
import os
# Migrate Hashicorp Vault Secrets to 1Password.
scriptPath = os.path.dirname(__file__)
logging.basicConfig(
level=logging.INFO, format="%(asctime)s - %(levelname)s - %(funcName)s: %(message)s"
)
logging.FileHandler(filename=f"{scriptPath}/hcp_migration.log")
parser = argparse.ArgumentParser(
prog="HCP Vault Secrets Migrator",
usage="This script fetches the secrets from an HCP Project and creates 1Password items from those secrets in a 1Password vault of your choosing.",
description="Sign into the HCP CLI and use `hcp profile init` to associate your session with the desired HCP project.",
)
parser.add_argument(
"--vault",
action="store",
dest="vault",
help="The UUID or name of a 1Password vault.",
required=True,
)
args = parser.parse_args()
def get_secrets():
vault_name = args.vault # Or hard-code with the name or ID of a vault.
try:
if vault_name == "":
logging.error("Please provide a vault name or UUID using the --vault flag.")
sys.exit()
# List all secrets in JSON format
list_command = "hcp vault-secrets secrets list --format=json"
list_result = subprocess.run(
list_command, shell=True, capture_output=True, text=True, check=True
)
secrets = json.loads(list_result.stdout)
if not secrets:
logging.info("No secrets found.")
return
# Iterate through each secret and open it
for secret in secrets:
secret_name = secret["name"]
# Open the secret in JSON format
open_command = (
f'hcp vault-secrets secrets open "{secret_name}" --format=json'
)
open_result = subprocess.run(
open_command, shell=True, capture_output=True, text=True, check=True
)
secret_details = json.loads(open_result.stdout)
if (
"value" in secret_details["static_version"]
): # A similar pattern may work for Dynamic and Auto-Rotation secrets. This script has not been validated with those HCP Secret types.
subprocess.run(
[
"op",
"item",
"create",
f"--title={secret_name}",
f"--vault={vault_name}",
"--category=112", # Corresponds to the API KEY Item Template. More info: https://developer.1password.com/docs/cli/reference/management-commands/item#item-template-list
f"credential={secret_details['static_version']['value']}",
],
input=json.dumps(
secret_details
), # Captures any meta/data that isn't explicitly in the above, but which maps to item values.
text=True,
check=True,
)
else:
logging.info(" Could not retrieve type and/or value for this secret.")
print("-" * (len(secret_name) + 22))
logging.info(f"Script complete.")
except subprocess.CalledProcessError as e:
logging.info(f"An error occurred: {e}")
logging.info(f"Stderr: {e.stderr}")
except json.JSONDecodeError:
logging.info("Failed to decode JSON from the HCP CLI output.")
except FileNotFoundError:
logging.info(
"The 'hcp' command was not found. Please ensure it is installed and in your PATH."
)
if __name__ == "__main__":
get_secrets()Your next steps
We understand that migrating your core infrastructure is a careful process. The script above is a starting point that you can adapt to your specific vault configuration.
- Start a trial: If you're new to 1Password, you can start a free 1Password Business or 1Password Teams trial to get access to the necessary tools.
- Explore the docs: Dive into our developer documentation to learn more about the CLI, SDKs, and Connect.
- Run a test: Use the script to migrate a few non-critical secrets first to ensure your setup is correct before running a full migration.
Our team is here to help you through this transition. If you have questions, feel free to reach out to us on the 1Password Developer Slack or connect with us in the 1Password Community.
Updated 2 months ago
Version 2.0
1P_Phil
Moderator
Moderator