1Password Item Name and Vault Mapping¶
Purpose: Authoritative reference for migrating from old documentation to current reality.
Generated: 2026-02-16 (after Phase 5 cleanup)
Critical Items - Frequently Referenced¶
| Old Reference (WRONG) | Current Item Name | Current Vault | Service Account Access |
|---|---|---|---|
AWS Access Key |
aws_access_key_luna_workstation |
scandora-super | super only |
| N/A (automation) | aws_access_key_terraform_automation |
scandora-automation | dev/prd/super |
| N/A (dev) | aws_access_key_localstack_dev |
scandora-dev-automation | dev/super |
GCP Service Account Key - luna |
gcp_service_account_key_scandoraproject_owner |
scandora-super | super only |
GCP Service Account Key - coop-owner |
gcp_service_account_key_coop_owner |
scandora-super | super only |
GCP Service Account Key - coop-bigquery-admin |
gcp_service_account_key_coop_bigquery_admin |
scandora-automation | dev/prd/super |
GCP Service Account Key - scandora-bigquery-admin |
gcp_service_account_key_scandoraproject_bigquery_admin |
scandora-automation | dev/prd/super |
Cloudflare API Token |
cloudflare_api_token_dns_automation |
scandora-automation | dev/prd/super |
PowerDNS API - Bogart |
powerdns_api_key_bogart_production |
scandora-prd-automation | prd/super only |
cloud_sql_scandora_postgres_user_joe |
cloud_sql_scandora_postgres_user_joe |
scandora-automation | dev/prd/super |
cloud_sql_bogart_pg_user_pdns |
cloud_sql_bogart_pg_user_pdns |
scandora-prd-automation | prd/super only |
gcp_postgres_grafana_password |
gcp_postgres_grafana_password |
scandora-automation | dev/prd/super |
MySQL RDS - scandora-mysql8 |
mysql_rds_scandora_mysql8_admin |
scandora-automation | dev/prd/super |
zerotier_api_token_network_management |
zerotier_api_token_network_management |
scandora-automation | dev/prd/super |
grafana_admin_password |
dumbo_grafana_admin_password |
scandora-automation | dev/prd/super |
snmp_community_monitoring |
snmp_community_monitoring |
scandora-automation | dev/prd/super |
OPNsense API Keys¶
| Old Reference (WRONG) | Current Item Name | Current Vault | Service Account Access |
|---|---|---|---|
opnsense_api_key_owl_production |
opnsense_api_key_owl_production |
scandora-prd-automation | prd/super only |
opnsense_api_key_blue_production |
opnsense_api_key_blue_production |
scandora-prd-automation | prd/super only |
opnsense_api_key_dev_vm |
opnsense_api_key_dev_vm |
scandora-dev-automation | dev/super only |
GitHub / GitLab Tokens¶
| Old Reference (WRONG) | Current Item Name | Current Vault | Service Account Access |
|---|---|---|---|
gitlab_pat_org_mirror_github_sync |
gitlab_pat_org_mirror_github_sync |
scandora-automation | dev/prd/super |
gitlab_mcp_api_token |
gitlab_mcp_api_token |
scandora-automation | dev/prd/super |
CCCS GitLab Scandora Super Token |
gitlab_pat_user_scandora_full_access |
scandora-super | super only |
atlassian_api_token_mcp_claude |
atlassian_api_token_mcp_claude |
scandora-automation | dev/prd/super |
github_scandora_token_ro |
github_scandora_token_ro |
scandora-automation | dev/prd/super |
github_dev_automation_token_ro |
github_dev_automation_token_ro |
scandora-automation | dev/prd/super |
github_pat_user_scandora_full_access |
github_pat_user_scandora_full_access |
scandora-super | super only |
Vault Access Matrix¶
| Service Account | Vaults Accessible | Use Cases |
|---|---|---|
| scandora-dev-automation | scandora-automation, scandora-dev-automation | Default for dev work, auto-loads |
| scandora-prd-automation | scandora-automation, scandora-prd-automation | Production deployments (manual load) |
| scandora-super | ALL vaults (CCCS, Lisa & Joe, scandora-*, cccs-automation, scandora.net) | Vault management, luna workstation |
| scandora-full-all-ro | ALL vaults | READ-ONLY access (deprecated, use super) |
| scandora-full | scandora.net only | Cloud instances (pluto, dumbo) |
Key Principles¶
- Workstation-specific credentials (luna) →
scandora-supervault - Shared automation credentials →
scandora-automationvault - Production-only credentials →
scandora-prd-automationvault - Development-only credentials →
scandora-dev-automationvault - ALL field names use underscores (
api_key, NOT "api key") - ALL item names use underscores (
aws_access_key_*, NOT "AWS Access Key")
Migration Status¶
- ✅ Phase 1: Inventory complete (2026-02-13)
- ✅ Phase 2: Field name standardization (2026-02-14)
- ✅ Phase 3: Item renaming (2026-02-15)
- ✅ Phase 4: Vault reorganization (2026-02-15)
- ✅ Phase 5: Cleanup and validation (2026-02-16)
- 🔄 Phase 6: Documentation refactoring (IN PROGRESS)
Common Mistakes in Documentation¶
❌ Wrong - Old Pattern¶
✅ Correct - New Pattern¶
❌ Wrong - Spaces in field names¶
✅ Correct - Underscores in field names¶
Documentation Files Requiring Updates¶
High Priority (Core docs):
- CLAUDE.md
- scripts/env-files/.env.aws
- scripts/env-files/.env.cloud-sql
- scripts/aws/README.md
- scripts/gcp/README.md
- scripts/terraform/tf-network-env.sh
- docs/operations/credential-management.md
Medium Priority (Reference docs):
- cloud/terraform/environments/production/network/1PASSWORD-USAGE.md
- docs/operations/1password-gap-analysis.md
- SECRETS-AUDIT-2026-02-14.md
Low Priority (Historical/Archive):
- docs/operations/secret-inventory-20260216/*.md (archive, keep as-is)
- scripts/1password/migrate-to-automation-vault.sh (one-time script)
Last Updated: 2026-02-16
Authoritative Source: op item list --format json via scandora-super service account