sops --decrypt: Decrypt Secrets in CI
sops --decrypt decrypts a sops-encrypted file and writes the plaintext, using whatever key material the environment provides.
In CI you decrypt right before applying. sops finds a usable key (age, KMS, etc.) from the environment and prints the cleartext.
What it does
sops --decrypt reverses encryption, recovering the data key via any recipient it can satisfy: an age key from SOPS_AGE_KEY or SOPS_AGE_KEY_FILE, an AWS KMS key via the ambient AWS credentials, PGP, and so on. Output goes to stdout unless -i rewrites the file.
Common usage
# age key supplied via env, decrypt to stdout
export SOPS_AGE_KEY_FILE=./age.key
sops --decrypt secrets.enc.yaml | kubectl apply -f -
# decrypt and re-emit as a different format
sops --decrypt --output-type json config.enc.yamlOptions
| Flag | What it does |
|---|---|
| -d, --decrypt | Decrypt the input file |
| -i, --in-place | Write the decrypted result back to the file |
| --output-type yaml|json|dotenv | Force the output format |
| --extract '["key"]' | Decrypt and print only one value |
| SOPS_AGE_KEY_FILE (env) | Path to the age private key |
In CI
Pass the decryption key through a secret env var: SOPS_AGE_KEY for an inline age key or SOPS_AGE_KEY_FILE for a path, or rely on the runner's cloud identity for KMS. Decrypt straight into kubectl apply -f - so the plaintext never lands on disk.
Common errors in CI
"Failed to get the data key required to decrypt the SOPS file. ... no matching keys found" means none of the configured recipients can be satisfied: the age key env var is unset or the AWS role lacks kms:Decrypt. "Error getting data key: ... AccessDeniedException" is the KMS permission case specifically. "sops metadata not found" means the file is not actually sops-encrypted.