Skip to content

Sops

Jump to bottom Edit New page
Jon "The Nice Guy" Spriggs edited this page Jun 24, 2023 · 5 revisions

With the following helper function you can export all keys in a sops file as environment variables:

use_sops() {
    local path=${1:-$PWD/secrets.yaml}
    eval "$(sops -d --output-type dotenv "$path" | direnv dotenv bash /dev/stdin)"
    watch_file "$path"
}

# will load secrets.yaml
use sops
# you can also specify a different path
use sops ./aws-keys.yaml

If you're being a bit more complex, and you need to have a specific cloud profile active to make your sops file decrypt, try adding this to your .bashrc file:

envrc_path="$(pwd)"
while [[ "$envrc_path" != "" && ! -e "$envrc_path/.envrc" ]]
do
  envrc_path="${envrc_path%/*}"
done
if [ "$envrc_path" != "" ]
then
  direnv reload
fi

This will then activate when you do aws-vault exec some-profile or saml2aws login ; saml2aws exec bash.

How about if you sometimes leave your SOPS file unencrypted (during development, for example), try this.

use_sops() {
    local path=${1:-$PWD/secrets.enc.yml}
    if [ -e "$path" ]
    then
        if grep -q -E '^sops:' "$path"
        then
            eval "$(sops -d --output-type dotenv "$path" 2>/dev/null | direnv dotenv bash /dev/stdin || false)"
        else
            if [ -n "$(command -v yq)" ]
            then
                eval "$(yq eval -o=props "$path" | direnv dotenv bash /dev/stdin)"
            fi
        fi
    fi
    watch_file "$path"
}

use sops

NOTE: this wiki is community-maintained. Everyone is welcome to contribute their solution.

Add a custom sidebar
Clone this wiki locally