0

I need to encrypt a file using SOPS. The string I am trying to encrypt is the "XXXXXXXX" part below:

aws=($(aws sts assume-role --role-arn arn:aws:iam::XXXXXXXXXXXXX:role/dummy  --role-session-name sandbox | jq -r '.Credentials[]'))

my sops config file is :

---
creation_rules:
  - path_regex: upgrade.sh
    kms: 'arn:aws:kms:eu-west-1:#########################role/kms_helm_secrets'
    encrypted_suffix: XXXXXXXXXXXXX

I know the above is not correct because I copied it from another git repo which is using kms/helm..

I just need to know how to tell SOPS to encrypt what is the in encrypted_suffix part as I believe this is where you write the expression you want to encrypt.

Thanks for your help.

Bluz
  • 5,980
  • 11
  • 32
  • 40

1 Answers1

0

Logic to locate line containing "encrypted_suffix:" in input file, parse that line, transform using encryption function, then output with new value inserted.

#!/bin/bash

# QUESTION: https://stackoverflow.com/questions/74226029/mozilla-sops-needed-to-encrypt-a-value-in-a-shell-file

### Perform Substitution in file

MATCH_LABEL="encrypted_suffix:"
CryptSUF="$1"

Fname="junk_38.input"

echo "\
    some data
    more data
    data 3
    123456789+12345678
    encrypted_suffix: XXXXXXXXXXXXX
    data 5
    data 6
    more data
    other data" >"${Fname}"

cat "${Fname}"

echo -e "\n\t After reviewing above input, hit <ENTER> to continue ..." ; read k

echo -e "\n\t Transformed output:\n"

awk -v label="${MATCH_LABEL}" -v codedString="${CryptSUF}" '
function doCrypt(val){
    printf("\t\t\t ### COMMENT: Value passed from file: %s\n", val ) ;
    #doSomeMagic
    val="TransformedVal" ;
    return val ;
}
{
    pLabel=index( $0, label) ;
    if( pLabel > 0 ){
        beg=substr( $0, 1, pLabel-1 ) ;
        EmbeddedValue=$2 ;
        #OPTION 1 - new value passed from command line parameter of script
        printf("%s%s %s\t\t ### OPTION 1 - PASSED\n", beg, label, codedString ) ;
        #OPTION 2 - new value passed from awk function calling encryption function
        printf("%s%s %s\t\t ### OPTION 2 - TRANSFORMED\n", beg, label, doCrypt( EmbeddedValue ) ) ;
    }else{
        printf("%s\n", $0 ) ;
    } ;
}' <"${Fname}"

Session log:

ericthered@OasisMega1:/0__WORK$ ./junk_38.sh "ABCDEFGHIJKLMNOP"
    some data
    more data
    data 3
    123456789+12345678
    encrypted_suffix: XXXXXXXXXXXXX
    data 5
    data 6
    more data
    other data

     After reviewing above input, hit <ENTER> to continue ...


     Transformed output:

    some data
    more data
    data 3
    123456789+12345678
    encrypted_suffix: ABCDEFGHIJKLMNOP       ### OPTION 1 - PASSED
             ### COMMENT: Value passed from file: XXXXXXXXXXXXX
    encrypted_suffix: TransformedVal         ### OPTION 2 - TRANSFORMED
    data 5
    data 6
    more data
    other data
ericthered@OasisMega1:/0__WORK$
Eric Marceau
  • 1,601
  • 1
  • 8
  • 11