1Password Environment Bootstrap

You wake up to a container reset. Your env vars are gone. ~/.bashrc is clean. AWS CLI is missing. Your 17 API keys — Anthropic, OpenAI, Gemini, Brave, ElevenLabs, all of them — vanished.

So you spend 45 minutes manually pulling keys from 1Password, getting the --reveal flag wrong (twice), fighting shell escaping on the AWS secret key, and rebuilding ~/.aws/credentials by hand. Again.

op-bootstrap fixes this permanently. One command pulls every secret from your 1Password vault, exports them to ~/.bashrc with proper quoting, sets up AWS CLI credentials, and verifies your integrations actually work. It auto-installs the op CLI if missing, handles the --reveal gotcha that trips everyone up, and deduplicates on re-run so your bashrc stays clean.

Built because I got tired of doing this myself after every container reset.

What It Does

• Installs 1Password CLI v2.32.1 if not in PATH
• Pulls all items from your configured vault with --reveal (critical — without it op returns placeholder text)
• Exports each key as a properly-quoted env var in ~/.bashrc
• Sets up ~/.aws/credentials and ~/.aws/config
• Verifies Anthropic API and AWS STS after bootstrap
• Warns about Google OAuth (requires browser — cannot be automated)
• Removes previous bootstrap blocks before writing (no duplicates)

Why This Matters

• The --reveal flag is the #1 gotcha with op CLI service accounts. Without it, you get a string that looks like a key but is not. This skill handles it correctly.
• Shell escaping on AWS secret keys (which contain + and / characters) breaks naive approaches. Handled.
• Running multiple times does not pollute bashrc. Marker-based block replacement.
• Idempotent. Safe to run on every boot.

What is Included

• SKILL.md with setup instructions and troubleshooting
• scripts/bootstrap.sh — main bootstrap script
• references/config.md — customization guide for vault and key mappings

Requirements

• 1Password service account token
• Read access to your target vault
• Linux or macOS with bash