Our team wants to use Secrets Automation as a way to get items from 1Password and add those values as environment variables in Kubernetes using the Kubernetes Operator. We want to have Vaults per environment, so that would mean that we would have a single vault for production purposes. If the operator included in the cluster is deployed on an external machine, this means that someone else who has access to the machine might be able to potentially get the API token and with it, list items in the Vault, which includes sensitive information.
Is there a way to restrict the scope of the API token to avoid performing certain actions like listing items? Or are there any suggestions for the approach we want to take?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided