Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove key:value line from encrypted sops file by using sops --set command #1305

Open
k0chan opened this issue Sep 27, 2023 · 4 comments · May be fixed by #1475
Open

Remove key:value line from encrypted sops file by using sops --set command #1305

k0chan opened this issue Sep 27, 2023 · 4 comments · May be fixed by #1475

Comments

@k0chan
Copy link

k0chan commented Sep 27, 2023

Hello,

I need to remove a specific line from a encrypted sops file by using sops --set flag. I need to do this in my GitLab CI Pipeline so I have to use the --set flag. For instance, I want to remove the foo key line.

Example Input

foo: ENC[AES256_GCM,data:Z2mF,iv:zMff0j08IVYjTZl84rOgauC1IG8xcwJ3vGBufZ9kal4=,tag:IgI5Js0BIJ+a2TMwmpDAmw==,type:str]                                                                                         
ket: ENC[AES256_GCM,data:uTO9jto=,iv:gL0e1M76uOFImuR1a/QTLXXd+WxcWGOfPEJSy4ao8Xg=,tag:DHXZcWte240W4kJuyK0IwA==,type:str]                                                                                     
sops:
    kms: []
    gcp_kms:
        - resource_id: ""
          created_at: ""
          enc: ""
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-09-27T07:14:47Z"
    mac: ""
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3

What I've tried

sops --gcp-kms "KMS_RESOURCE_ID" --set '["foo"] ""' file.enc.yaml

But I got

foo: ""
ket: ENC[AES256_GCM,data:uTO9jto=,iv:gL0e1M76uOFImuR1a/QTLXXd+WxcWGOfPEJSy4ao8Xg=,tag:DHXZcWte240W4kJuyK0IwA==,type:str]     
sops:
    kms: []
    gcp_kms:
        - resource_id: ""
          created_at: ""
          enc: ""
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-09-27T07:59:13Z"
    mac: ""
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3

What I expected

ket: ENC[AES256_GCM,data:uTO9jto=,iv:gL0e1M76uOFImuR1a/QTLXXd+WxcWGOfPEJSy4ao8Xg=,tag:DHXZcWte240W4kJuyK0IwA==,type:str]     
sops:
    kms: []
    gcp_kms:
        - resource_id: ""
          created_at: ""
          enc: ""
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-09-27T08:10:43Z"
    mac: ""
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3

Is it even possible? Thanks for advance!
@mfld
Copy link

mfld commented Nov 8, 2023

would also like to know if this is possible.

@felixfontein
Copy link
Contributor

This isn't possible. --set sets a value, not removes it. We can add another way to remove values, but that would be a separate command.

(I think it makes sense to add this as a proper subcommand, instead of adding yet another option-style command; see #1333 / #1343.)

@duthils duthils linked a pull request Mar 29, 2024 that will close this issue
Open
@fabidick22
Copy link

I find this functionality useful. When you have all your secrets as code and an automated process is responsible for adding and removing new secrets, it can be difficult to maintain traceability when a new secret is deleted. This is because the entire file needs to be re-encrypted, and it is complex to maintain traceability in a git diff.

@felixfontein
Copy link
Contributor

There is a PR for that currently: #1475

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add command unset duthils/sops
4 participants
@felixfontein @k0chan @fabidick22 @mfld