https://buildx.sh/tags/sops/Recent content in Sops on buildx.shHugoen© buildx.sh — built with effect, performance, and funTue, 12 May 2026 00:00:00 +0000https://buildx.sh/snippets/read-a-secret-from-sops/Tue, 12 May 2026 00:00:00 +0000https://buildx.sh/snippets/read-a-secret-from-sops/<p><code>sops -d</code> prints the entire decrypted file. Most of the time you want exactly one value — and you don&rsquo;t want it landing in shell history or a temp file. <code>--extract</code> does that.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># secret — print one key from a SOPS-encrypted YAML file.</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Usage: secret CODEBERG_TOKEN [path/to/secrets.enc.yaml]</span> </span></span><span style="display:flex;"><span>secret<span style="color:#f92672">()</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> local key<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$1<span style="color:#e6db74">&#34;</span> file<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>2<span style="color:#66d9ef">:-</span>secrets.enc.yaml<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> sops -d --extract <span style="color:#e6db74">&#34;[\&#34;</span><span style="color:#e6db74">${</span>key<span style="color:#e6db74">}</span><span style="color:#e6db74">\&#34;]&#34;</span> <span style="color:#e6db74">&#34;</span>$file<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span></code></pre></div><p>Use it inline so the plaintext never touches disk and an env var still wins:</p>