Setting values from stdin directly

[abeluck]

We use sops extensively with terraform and ansible.

Often we have a scenario where we want to generate some secret with a tool and add it to a sops encrypted file under a key immediately.

For example: generating ssh keys, generate rsa keys.

The current workflow looks like:

$ openssl genrsa 4096  # key is printed to screen
# copy key to clipboard
$ sops path/to/file.sops.yml
# edit file and paste the key

The desired workflow would look like:

$ openssl genrsa 4096 | sops --set '["app1"]["key"]' path/to/file.sops.yml
# generate another one and store under a different key!
$ openssl genrsa 4096 | sops --set '["app2"]["key"]' path/to/file.sops.yml

Less user friendly but equally useful would be:

$ openssl genrsa 4096 | sops --set '["app1"]["key"]' --value-file /dev/stdin path/to/file.sops.yml
# generate another one and store under a different key!
$ openssl genrsa 4096 | sops --set '["app2"]["key"]' --value-file /dev/stdin path/to/file.sops.yml

[abeluck]

Also, I should add that it should be possible to update an existing key without blowing away what is already in the file.

The behavior of --set currently overwrites the contents of the file completely.

$ sops --set '["app1"]["key"] "app1keystringvalue"' file.sops.yml
$ sops --set '["app2"]["key"] "app2keystringvalue"' file.sops.yml
$ sops -d file.sops.yml
app2:
    key: app2keystringvalue

When I would expect:

app1:
    key: app1keystringvalue
app2:
    key: app2keystringvalue

Also not a bad time to mention #720 is related to this.

[schollii]

I have wished for this so many times, it is so "un-Unix" to no support input from stdin, I can't imagine this would be hard to do

[autrilla]

You could use xargs for this