Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plaintext secrets #1096

Open
MartinAltmayerTMH opened this issue Jan 22, 2025 · 3 comments · May be fixed by #1102
Open

Plaintext secrets #1096

MartinAltmayerTMH opened this issue Jan 22, 2025 · 3 comments · May be fixed by #1102

Comments

@MartinAltmayerTMH
Copy link
Contributor

MartinAltmayerTMH commented Jan 22, 2025
edited
Loading

Is there an option to sync plaintext values to AWS Secrets Manager? From what I can see, SOPS requires me to specify a JSON/YAML object and cdk-sops-secrets will just copy this object (without the special 'sops' key) as a key/value secret.

I'd like to have just a string, without any JSON/YAML around it:
Image
@markussiebert
Copy link
Contributor

markussiebert commented Jan 23, 2025
edited
Loading

Hi @MartinAltmayerTMH have you tried disabling all conversions?

const secret = new SopsSecret(this, 'SopsComplexSecretJSON', {
  convertToJSON: false, // disable converting the encrypted content to JSON
  stringify: false, // disable stringifying all values
  flatten: false, // disable flattening of the object structure
  sopsFilePath: 'secrets/sopsfile-encrypted.json',
});

If it does not work, can you provide an example content?

@MartinAltmayerTMH
Copy link
Contributor Author

Disabling the conversions will create a plaintext secret in AWS. However, it will still contain the key and the value from the SOPS file. I'd like to store just the value, e.g. 12341234.

The problem is that SOPS requires a top-level object (so they can store their metadata below .sops). I cannot store just a value. This is my example SOPS file:

value: ENC[AES256_GCM,data:bJ2p...]
sops:
  kms:
    - arn: arn:aws:kms:...
      created_at: "2025-01-24T08:55:09Z"
      enc: ...
      aws_profile: ""
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age: []
  lastmodified: "2025-01-24T08:55:21Z"
  mac: ...
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1

And this is the secret created with all conversions disabled:

Image

@markussiebert
Copy link
Contributor

Understood! I think adding an option called "plaintext" that removes the "data" key from the decrypted sops file would solve this issue. The key to be removed should be configurable by the user and default to "data" – that's what sops creates when you encrypt plain text. In your case, it is the key "value".

@MartinAltmayerTMH MartinAltmayerTMH linked a pull request Jan 27, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Support plaintext secrets MartinAltmayerTMH/cdk-sops-secrets
2 participants
@markussiebert @MartinAltmayerTMH