search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.98k stars 878 forks source link

Error dumping file: cannot use complex value in dotenv file #1110

Open ckuethe opened 2 years ago

ckuethe commented 2 years ago

Short version: I'm unable to use sops exec-env where a value in the JSON file is a list. I didn't see any indication in the documentation that this is a known limitation.

SOPS version
$ sops --version
sops 3.7.3 (latest)
Plaintext JSON
{
 "list_of_numbers": [42, 42, 42, 42, 42, 42, 13, 7],
 "pi": 3.1416,
 "py": "thon",
 "pie": "apple",
 "poe": ["edgar", "allan"]
}

I created a .sops.yaml so that the file is encrypted using my preferred KMS

SOPS doesn't complain or warn me while encrypting the file
$ sops -e test_data.json > test_data.sops.json ; echo $?
0
exec-file works
$ sops exec-file test_data.sops.json './sops_test_exec.py {}'
{'pi': 3.1416,
 'pie': 'apple',
 'poe': ['edgar', 'allan'],
 'py': 'thon',
 'list_of_numbers': [42, 42, 42, 42, 42, 42, 13, 7]}
exec-env does not work
$ sops exec-env test_data.sops.json './sops_test_exec.py {}'
Error dumping file: cannot use complex value in dotenv file: [%!s(float64=42) %!s(float64=42) %!s(float64=42) %!s(float64=42) %!s(float64=42) %!s(float64=42) %!s(float64=13) %!s(float64=7)]

sops_test_exec.py and sops_test_env.py are just trivial demo programs that load the decrypted secret values from the {} file or from the environment.

felixfontein commented 2 years ago

I guess the problem is that there is no official way to specify any other value type than string in dotenv files.

There is also no reason why sops should warn you on encryption, since such a file is totally valid - for everything but decryption to dotenv.

awilson1801 commented 2 years ago

Any resolution on this?

ckuethe commented 2 years ago

Two suggestions:

  1. Better documentation that this is a limitation of the dotenv file.
  2. convert a complex value into a string by quoting it and let the consumer deal with it.

I'd prefer the second, since I'm already having to do some checking and parsing on the values from the environment, eg. converting "2" (str) into 2 (int) or 2.0 (float)

felixfontein commented 2 years ago
  1. needs more definitions. How do you want to convert that value into a string? As JSON? YAML? Or some other random serialization format?
ckuethe commented 2 years ago

For my use case, I'd be happy with a decrypted string/array of characters, and my program can do any necessary checks and parsing.

felixfontein commented 2 years ago

The decrypted object is a Go data structure. You need to specify how to serialize it, there's no canonical useful way to dump it.