Show: dhall-secret

Hey, just want to showcase a simple cli I made recently, which Iā€™m using very heavily together with dhall-kubernetes to deploy secret, as well as AWS KMS. Hope it can help anyone like me who too looking for the sops alternative that works with dhall expressions.

:link: GitHub - jcouyang/dhall-secret: Manage secrets in dhall config file

It is very straightforward and can encrypt/decrypt AWS KMS and age values in dhall expression with dhall-secret's type, example

$ dhall-secret encrypt <<< 'dhall-secret.AgeDecrypted {PlainText = "hello", Recipients=["age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg"]}'
let dhall-secret =

in  dhall-secret.AgeEncrypted
      { Recipients =
        [ "age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg" ]
      , CiphertextBlob =
          -----BEGIN AGE ENCRYPTED FILE-----
          -----END AGE ENCRYPTED FILE-----

Feedback/PR welcome


This is really cool, but one of the important benefits of sops is that it manages keys changing. The teams change, keys gets rotated and you have this combination of .sops.yaml and secrets.yaml that is kept up to date as keys update.

As an alternative to dhall-secret you can use sops as is without additional software:

let Foo = { region : Text, key : Text, secret : Text }

in    { region = "fr-par"
      , key = env:SECRET_KEY as Text
      , secret = env:SECRET_ACCESS as Text
    : Foo
$ sops exec-env secrets.yaml 'dhall <<< ./test.dhall'
{ key = "foo", region = "fr-par", secret = "bar" }