sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

Error dumping file: cannot use complex value in dotenv file

Open ckuethe opened this issue 1 year ago • 1 comments

Short version: I'm unable to use sops exec-env where a value in the JSON file is a list. I didn't see any indication in the documentation that this is a known limitation.

SOPS version
$ sops --version
sops 3.7.3 (latest)
Plaintext JSON
{
 "list_of_numbers": [42, 42, 42, 42, 42, 42, 13, 7],
 "pi": 3.1416,
 "py": "thon",
 "pie": "apple",
 "poe": ["edgar", "allan"]
}

I created a .sops.yaml so that the file is encrypted using my preferred KMS

SOPS doesn't complain or warn me while encrypting the file
$ sops -e test_data.json > test_data.sops.json ; echo $?
0
exec-file works
$ sops exec-file test_data.sops.json './sops_test_exec.py {}'
{'pi': 3.1416,
 'pie': 'apple',
 'poe': ['edgar', 'allan'],
 'py': 'thon',
 'list_of_numbers': [42, 42, 42, 42, 42, 42, 13, 7]}
exec-env does not work
$ sops exec-env test_data.sops.json './sops_test_exec.py {}'
Error dumping file: cannot use complex value in dotenv file: [%!s(float64=42) %!s(float64=42) %!s(float64=42) %!s(float64=42) %!s(float64=42) %!s(float64=42) %!s(float64=13) %!s(float64=7)]

sops_test_exec.py and sops_test_env.py are just trivial demo programs that load the decrypted secret values from the {} file or from the environment.

ckuethe avatar Aug 16 '22 18:08 ckuethe

I guess the problem is that there is no official way to specify any other value type than string in dotenv files.

There is also no reason why sops should warn you on encryption, since such a file is totally valid - for everything but decryption to dotenv.

felixfontein avatar Aug 27 '22 13:08 felixfontein

Any resolution on this?

awilson1801 avatar Oct 05 '22 21:10 awilson1801

Two suggestions:

  1. Better documentation that this is a limitation of the dotenv file.
  2. convert a complex value into a string by quoting it and let the consumer deal with it.

I'd prefer the second, since I'm already having to do some checking and parsing on the values from the environment, eg. converting "2" (str) into 2 (int) or 2.0 (float)

ckuethe avatar Oct 19 '22 19:10 ckuethe

  1. needs more definitions. How do you want to convert that value into a string? As JSON? YAML? Or some other random serialization format?

felixfontein avatar Oct 19 '22 19:10 felixfontein

For my use case, I'd be happy with a decrypted string/array of characters, and my program can do any necessary checks and parsing.

ckuethe avatar Oct 19 '22 23:10 ckuethe

The decrypted object is a Go data structure. You need to specify how to serialize it, there's no canonical useful way to dump it.

felixfontein avatar Oct 20 '22 05:10 felixfontein