-
Notifications
You must be signed in to change notification settings - Fork 626
Sops
Jon "The Nice Guy" Spriggs edited this page Jun 24, 2023
·
5 revisions
With the following helper function you can export all keys in a sops file as environment variables:
use_sops() {
local path=${1:-$PWD/secrets.yaml}
eval "$(sops -d --output-type dotenv "$path" | direnv dotenv bash /dev/stdin)"
watch_file "$path"
}
# will load secrets.yaml
use sops
# you can also specify a different path
use sops ./aws-keys.yaml
If you're being a bit more complex, and you need to have a specific cloud profile active to make your sops file decrypt, try adding this to your .bashrc file:
envrc_path="$(pwd)"
while [[ "$envrc_path" != "" && ! -e "$envrc_path/.envrc" ]]
do
envrc_path="${envrc_path%/*}"
done
if [ "$envrc_path" != "" ]
then
direnv reload
fi
This will then activate when you do aws-vault exec some-profile
or saml2aws login ; saml2aws exec bash
.
How about if you sometimes leave your SOPS file unencrypted (during development, for example), try this.
use_sops() {
local path=${1:-$PWD/secrets.enc.yml}
if [ -e "$path" ]
then
if grep -q -E '^sops:' "$path"
then
eval "$(sops -d --output-type dotenv "$path" 2>/dev/null | direnv dotenv bash /dev/stdin || false)"
else
if [ -n "$(command -v yq)" ]
then
eval "$(yq eval -o=props "$path" | direnv dotenv bash /dev/stdin)"
fi
fi
fi
watch_file "$path"
}
use sops