I built something like this a long time ago. I actually used a FUSE filesystem to present a file interface to the calling application, then a policy engine to determine who could access the file and what the contents were. The FUSE driver could also make callouts to third party APIs (my example was the OpenStack key manager - barbican), but could just as easily be 1Password or something similar.