sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Support for custom YAML tags

Open itssimon opened this issue 5 years ago • 3 comments

Is it possible to support custom YAML tags?

key_unencrypted: !env SOMEVAR

Currently, these tags get removed by sops and only the plain value ("SOMEVAR") remains.

itssimon avatar Feb 24 '20 00:02 itssimon

Is !env a yaml standard?

We have a note about yaml anchors in the doc which probably applies to this as well (assuming it is a standard):

sops uses the path to a value as additional data in the AEAD encryption, and thus dynamic paths generated by anchors break the authentication step.

jvehent avatar Feb 24 '20 21:02 jvehent

Yes, tags are part of the YAML standard. You can read all about it in the official specification.

Tags are different to anchors as they don't change the structure of the data at parse time, so the limitation you mentioned shouldn't apply to tags.

itssimon avatar Feb 24 '20 22:02 itssimon

I wanted to chime in and say that YAML anchors and aliases would be a really great feature to support. For instance, I have a YAML file that looks like:

db_pass: &db_pass my_secret_password

app_1:
    db_pass: *db_pass

app_2:
    db_pass:  *db_pass

With sops I encrypt that file and when I open it the values have all been replaced and the anchors are gone. The point of the anchors is to be DRY and only include the value once. Without support I'm forced to repeatedly add the values, which is an issue when they change.

While this is just a generic example I definitely work with more complex yaml files where anchor/alias would be incredibly helpful.

chrisgilmerproj avatar May 13 '24 16:05 chrisgilmerproj