Feature Request: Programmatic Creation and Management of Vaults via Service Accounts

[xfab-hari]

I’m trying to create and manage multiple vaults programmatically using a 1Password service account.

Use Case

To simplify the scenario:

• I run a class where each student needs to upload a sensitive file (e.g., a password file).
• For security and isolation, I want to create one dedicated vault per student.
• When a student signs up:
  • A new vault is automatically created for that student.
  • Access to that vault is shared only with the corresponding student.
• The student uploads their sensitive file to their vault.
• My backend service (using a service account) periodically scans or monitors these provisioned vaults:
  • Detects new uploads
  • Performs downstream processing based on the uploaded data

Goal

I would like to use a 1Password service account to fully automate this workflow, including:

• Creating vaults programmatically
• Assigning access permissions to individual users
• Reading from those vaults via a backend service

This functionality would enable secure, scalable, and automated handling of per-user sensitive data without manual vault management.

Requirements and desired behavior

The SDK should allow a service account to fully automate per-user vault management, including:

• Programmatic vault creation

  • Create new vaults dynamically via the SDK.
  • Support setting a vault name and description at creation time.

• Access management

  • Grant vault access to specific users (e.g., a student) programmatically.
  • Support revoking access when a user leaves or no longer needs access.
  • Clearly define and enforce permission scopes (read/write/admin).

• Service account access

  • Allow the service account to retain read (or read/write) access to all vaults it creates.
  • Ensure the service account can list and access only the vaults it owns or is authorized for.

• Item monitoring and retrieval

  • List items within a vault.
  • Detect newly created or updated items (e.g., uploaded files).
  • Read item contents programmatically for downstream processing.

• Scalability and automation

  • Support creating and managing a large number of vaults without manual intervention.
  • Provide predictable, stable APIs suitable for backend automation and scheduled jobs.

• Security and auditability

  • Respect organization security policies.
  • Ensure all actions performed by the service account are auditable and attributable.
  • Prevent cross-vault access between users unless explicitly granted.

Additional information

No response

[edif2008]

Hey @xfab-hari! 👋🏻
Thank you so much for filing this issue and providing such a detailed use case. I can totally see the value of the SDKs supporting this flow.
Firstly, I want to let you know that some of these capabilities are available. Mainly:

• Allowing a service account to create vaults (more details on Creating a service account).
• Managing group access to a vault (currently a beta feature in 0.4.0-beta.02).

Secondly, we're working on stabilizing the existing beta features, as well as new bringing new functionality for the SDKs. We will let you know when they become available.

Would you like to try the features while they're in beta? It would be great to get your feedback in terms of whether the new capabilities will help you achieve your use case, as well as how we can further improve it.

[xfab-hari]

Yes. I would love to try, and see how this can fulfill my use case. And I am happy to provide active feedback on this if that will help making the product/sdk better.

Please let me know how can I get started with the beta

[edif2008]

Sweet, @xfab-hari! Thank you for willing to give it a try.

To use the features from the latest beta, update your Go SDK dependency to use the beta:

go get github.com/1password/onepassword-sdk-go@v0.4.0-beta.2

With that you'll get access to the latest beta features.
Details about what you currently have is in the following releases (0.4.0-beta.1, 0.4.0-beta.2).
And here's the documentation on the current features around vault management (most of them are in beta).

As it is now, your flow is currently not fully supported since the SDKs don't support vault creation. As a workaround, you can use the 1Password CLI to create the vault and then manage group permissions using the SDKs.

Let me know if you have any further questions. 😄

[osama-AI71]

+1
Creating vaults using the SDK would enable the creation of vaults using Terraform.
I can assist and provide feedback.
Once this feature is here, we would enhance the Terraform 1Password provider to test it out.