sops exec-env: Inject Secrets Into a Process
sops exec-env decrypts a secrets file and runs a command with each key set as an environment variable, so plaintext never touches disk.
Instead of decrypting to a file, exec-env feeds the decrypted values straight into a child process environment. It keeps secrets in memory for the lifetime of that command.
What it does
sops exec-env decrypts the given file, sets each top-level key as an env var, and executes the command in {cmd} with those variables. exec-file instead writes plaintext to a temp file and substitutes its path into the command.
Common usage
sops exec-env secrets.enc.env 'node deploy.js'
# pass the decrypted file path to a tool that wants a file
sops exec-file secrets.enc.json 'terraform apply -var-file {}'Options
| Command / flag | What it does |
|---|---|
| exec-env <file> <cmd> | Run cmd with decrypted values as env vars |
| exec-file <file> <cmd> | Run cmd with a temp plaintext file, {} is its path |
| --no-fifo (exec-file) | Use a regular temp file instead of a FIFO |
| --user <name> | Drop to this user before running the command |
In CI
exec-env is the cleanest way to avoid a decrypted file lingering in the workspace. Only flat, top-level string values become env vars; nested structures do not, so keep exec-env inputs flat.
Common errors in CI
"Failed to get the data key" means the decryption key is unavailable on the runner (set SOPS_AGE_KEY or KMS creds). "error building the environment: ..." usually means the file has nested values that cannot map to env vars; flatten it or use exec-file. A non-zero exit from the wrapped command propagates, which is the intended gate.