sopsx

SOPS wrapper that automatically sets AWS_PROFILE based on KMS keys. Stop remembering which profile to use.

brew install jhubbardsf/sopsx/sopsx

Before: Manual Profile Switching

# Which profile was it again?
AWS_PROFILE=dev-admin sops -d dev/secrets.enc.yaml
AWS_PROFILE=staging-admin sops -d staging/secrets.enc.yaml
AWS_PROFILE=prod-readonly sops -d prod/secrets.enc.yaml

# Wrong profile? Start over...

After: Just Use sopsx

# Profile auto-detected from KMS ARN
sopsx -d dev/secrets.enc.yaml
sopsx -d staging/secrets.enc.yaml
sopsx -d prod/secrets.enc.yaml

# It just works.

See it in action

Terminal
$ SOPSX_DEBUG=1 sopsx -d secrets.enc.yaml
[sopsx debug] Found file argument: secrets.enc.yaml
[sopsx debug] File appears to have SOPS metadata
[sopsx debug] Found KMS ARN: arn:aws:kms:us-east-1:123456789012:key/abc-123
[sopsx debug] Extracted account ID: 123456789012
[sopsx debug] Using AWS profile: dev-admin
database_password: supersecret123
api_key: sk-live-xxxxx

Readable git diffs

Configure sopsx as a git textconv and see actual changes instead of encrypted noise.

Before: Encrypted Gibberish

$ git diff secrets.enc.yaml

diff --git a/secrets.enc.yaml
-api_key: ENC[AES256_GCM,data:x8kP...
-db_pass: ENC[AES256_GCM,data:9mNq...
+api_key: ENC[AES256_GCM,data:7jLw...
+db_pass: ENC[AES256_GCM,data:4xRt...

# What actually changed? No idea.

After: With sopsx textconv

$ git diff secrets.enc.yaml

diff --git a/secrets.enc.yaml
-api_key: sk-live-old-key-abc123
-db_pass: hunter2
+api_key: sk-live-new-key-xyz789
+db_pass: correct-horse-battery

# Ah, API key rotated. Makes sense.
~/.gitconfig: [diff "sopsdiffer"] textconv = sopsx -d

Why sopsx?

๐Ÿ”

Auto-Detection

Extracts KMS ARN from encrypted files or .sops.yaml config automatically

๐ŸŽฏ

Smart Profile Selection

Prioritizes higher-privilege roles when multiple profiles match the account

๐Ÿ“

Git Integration

Works as a textconv for git diff, showing decrypted content in diffs

View on GitHub Documentation