search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
15.75k stars 842 forks source link

Support for custom YAML tags #635

Open itssimon opened 4 years ago

itssimon commented 4 years ago

Is it possible to support custom YAML tags?

key_unencrypted: !env SOMEVAR

Currently, these tags get removed by sops and only the plain value ("SOMEVAR") remains.

jvehent commented 4 years ago

Is !env a yaml standard?

We have a note about yaml anchors in the doc which probably applies to this as well (assuming it is a standard):

sops uses the path to a value as additional data in the AEAD encryption, and thus dynamic paths generated by anchors break the authentication step.

itssimon commented 4 years ago

Yes, tags are part of the YAML standard. You can read all about it in the official specification.

Tags are different to anchors as they don't change the structure of the data at parse time, so the limitation you mentioned shouldn't apply to tags.

chrisgilmerproj commented 1 month ago

I wanted to chime in and say that YAML anchors and aliases would be a really great feature to support. For instance, I have a YAML file that looks like:

db_pass: &db_pass my_secret_password

app_1:
    db_pass: *db_pass

app_2:
    db_pass:  *db_pass

With sops I encrypt that file and when I open it the values have all been replaced and the anchors are gone. The point of the anchors is to be DRY and only include the value once. Without support I'm forced to repeatedly add the values, which is an issue when they change.

While this is just a generic example I definitely work with more complex yaml files where anchor/alias would be incredibly helpful.