用SOPS管理Git中的秘密(5部分系列)
- 使用SOPS在Git中管理您的秘密
- 使用SOPS管理Git中的秘密-常见操作
- 使用SOPS和GitLab CI在Git中管理您的秘密🦊
- 使用Kubernetes的SOPS在Git中管理您的秘密☸️
- 使用Kuectl&Kustomize的SOPS在Git中管理您的秘密🔧
我们在上一篇文章中看到了如何使用SOPS在Git中存储我们的秘密。在这里,我们将看到使用SOPS时需要的一些常见操作。
编辑机密
Alice想更改dev_asecret中的值。为此,她可以使用sops dev_a.encrypted.env命令打开$EDITOR并允许就地更改。
place changes.
After the edition, the secret is encrypted back, and she can commit the file in Git.
向其他人添加秘密访问权限
Alice
would like to let Bobby
read the dev_a
secret. To do that, she will use sops --rotate --in-place --add-pgp <bobby-key-id> dev_a.encrypted.env
command.
After this modification, Bobby
can fetch modifications. He is now able to read (and modify) the secret.
删除对其他人的秘密访问
Alice
now wants to remove Bobby
access to dev_a
secret. She is able to do this by using the sops --rotate --in-place --rm-pgp <bobby-key-id> dev_a.encrypted.env
.
After this, Bobby
is unable to decrypt the secret anymore.
配置自动钥匙选择
Like we saw before, sops
commands often requires references to key-id
of people concerned by the modification... and this is error prone and hard to manage if you share access with a lot of people.
To simplify this, the team can create a file, named .sops.yaml
and placed it in the root of our Git repository.
creation_rules:
# Specific to `dev_a` env
- path_regex: dev_a\.encrypted\.env$
# Here, only the `Alice` key-id
pgp: >-
5844C613B763F4374BAB2D2FC735658AB38BF93A
# Specific to `int` env
- path_regex: int\.encrypted\.env$
# Here, we have :
# * `Alice` key-id: 5844C613B763F4374BAB2D2FC735658AB38BF93A
# * `Bobby` key-id: AE0D6FD0242FF896BE1E376B62E1E77388753B8E
# * `Devon` key-id: 57E6DA39E907744429FB07871141FE9F63986243
pgp: >-
5844C613B763F4374BAB2D2FC735658AB38BF93A,
AE0D6FD0242FF896BE1E376B62E1E77388753B8E,
57E6DA39E907744429FB07871141FE9F63986243
# Specific for new env `dev_a_and_b`
- path_regex: dev_a_and_b\.encrypted.env$
# Here, we have only `Alice` and `Bobby` :
# * `Alice` key-id: 5844C613B763F4374BAB2D2FC735658AB38BF93A
# * `Bobby` key-id: AE0D6FD0242FF896BE1E376B62E1E77388753B8E
pgp: >-
5844C613B763F4374BAB2D2FC735658AB38BF93A,
AE0D6FD0242FF896BE1E376B62E1E77388753B8E
Here, Bobby
will create a new secret for dev_a_and_b
env just with the command sops dev_a_and_b.encrypted.env
. No more --pgp <key-id>
, sops
automatically selects the closest .sops.yaml
file from the CWD
(see this).
Keys are selected by matching a regex
againt the path of the file, so possibilities are wide and this is simpler than using parameters in command line !
添加或删除访问权限 .sops.yaml
If a .sops.yaml
file is used, Alice
can simplify the add-pgp
or rm-pgp
command previously seen. She just need to change the .sops.yaml
and use the command sops updatekeys dev_a.encrypted.env
to update who can decrypt the file.
结论
Those are the most common operations required to use sops
in your project. This is simple and still helps you to keep your secrets in sync with your code !
You can find the source code of this article, files, and scripts in this GitLab repository.
最新内容
- 1 week 5 days ago
- 2 weeks 6 days ago
- 3 weeks 2 days ago
- 3 weeks 2 days ago
- 3 weeks 5 days ago
- 3 weeks 6 days ago
- 4 weeks ago
- 4 weeks 1 day ago
- 4 weeks 1 day ago
- 4 weeks 1 day ago