Template syntax
You can create a templated config file that contains secret references, then use op inject to receive a resolved config file that contains the actual secrets.
Here's an example of a template file with enclosed secret references in place of the plaintext secrets:
config.yml.tpl
Secret references
Secret references included in template files can be formatted as either unenclosed secret references or enclosed secret references.
Unenclosed secret references
An unenclosed secret reference is a string that:
- Begins with
op://and is not preceded by any of the characters from:alphanumeric,-,+,\,.. - Ends with either the end of the template, or the first encountered character outside the following set:
alphanumeric,-,?,_,..
Examples of good and bad unenclosed secret references:
(contains special characters that are not supported by the syntax)
(contains special characters that are not supported by the syntax)
Enclosed secret references
An enclosed secret reference is defined as any string that satisifies all of the following:
- Begins with two closed braces
{{ - Ends with the two closed braces
}} - Contains a valid unenclosed secret reference between the two pairs of braces, possibly padded with spaces
Examples of good and bad enclosed secret references:
(the secret reference contains unsupported characters)
Special characters
If you need to escape special characters in your template, you can use curly braces and double quotes:
If the content contains double quotes, they must be escaped with \:
Variables
The template syntax also supports variable tags:
$var(unenclosed variables)${var}(enclosed variables)
When resolving an unenclosed variable of the form $FOO, it is replaced with the value of the environment variable named FOO.
When resolving an enclosed variable of the form ${FOO}, any whitespace at the beginning or end of FOO is discarded and the reference is replaced with the value of the environment variable named FOO.
Variable names are case-insensitive, cannot start with a number, and can only contain letters, numbers, and underscores.
Examples of good and bad unenclosed variables:
(starts with a number)
(contains unsupported special characters)
Examples of good and bad enclosed variables:
(the closing brace is escaped)
Default values
To set a default value for a template variable, use this syntax:
${VAR_NAME:-<default-value>}
The default value will be used when the variable can't be found in the environment.
For example, op://${VAULT:-dev}/docker/password evaluates to op://dev/docker/password when the VAULT environment variable isn't set.
If VAULT is set to prod instead, it will evaluate to op://prod/docker/password.