op run

.env files. If you’ve worked on a web application, you’ve probably seen one.

While they certainly get the job done, .env files have shortcomings that can create friction in development workflows.

We’ve touched on .env files in past articles about xcconfig files and secret management on iOS. But this week on NSHipster we’re taking a deeper look, exploring how the lesser-known 1Password CLI (op) can solve some problems many of us face managing secrets day-to-day.

→ nshipster.com/1password-cli/

The 1Password CLI (op) offers a robust solution to manage secrets in Swift development, addressing the limitations of traditional .env files. Which separate configuration from code per the Twelve-Factor App methodology but create issues like onboarding friction, multi-environment complexity, and untracked changes.

By storing secrets in a 1Password vault and referencing them in .env files using op:// URLs, op run injects these secrets into the environment at runtime, enabling secure commits of .env files to version control. Installation involves setting up the CLI via Homebrew, creating a dedicated vault, migrating secrets, and updating .env files with references like op://development/item/field.

This approach eliminates manual configuration syncing, supports automatic updates, and provides access controls, though it introduces minor startup overhead and potential terminal compatibility issues. The Swift community is encouraged to adopt this for streamlined secret management, starting with small migrations to ensure team buy-in, with feedback welcomed via Swift forums.