Punktero SOPS Secrets
Decrypt and browse SOPS-encrypted secrets directly in VS Code — without ever writing plaintext to disk.
Designed for Ansible inventories that use the punktero.sops.secret lookup plugin.
Features
SOPS Secrets panel
Opens automatically in the Explorer sidebar when you switch to an Ansible inventory YAML file.
- Hosts from the inventory are listed as expandable nodes
- Secrets shared via YAML anchors appear under a global node at the top
- Each secret shows the relevant part of its SOPS key path (host prefix is stripped —
some.key instead of inventory.vps-123.some.key)
Reveal & copy secrets
| Action |
Result |
| Double-click a secret |
Toggle show / hide — the decrypted value appears directly below the key in the tree |
| Double-click again |
Hide the value |
| Ctrl+C (panel focused) |
Copy the selected secret or value to clipboard |
| Right-click → Reveal secret |
Show the value below the key |
| Right-click → Hide secret |
Remove the revealed value |
| Right-click → Copy decrypted secret |
Copy to clipboard |
Copied secrets are automatically cleared from the clipboard after 30 seconds.
Multi-file support
The extension searches all SOPS files matching the configured glob pattern (default: .secrets/*.sops.yml).
- If the same key exists in multiple files, all values are shown — one per file
- If a file cannot be decrypted (different age recipient), the entry shows Access denied instead of the value
- Access denied is only shown when the key actually exists in the inaccessible file (the extension reads the encrypted YAML structure without decrypting)
Hover over any lookup('punktero.sops.secret', '...') expression in any file to see the decrypted value in a popup. Works in YAML inventory files, Jinja2 templates, and anywhere else the lookup appears.
Encrypt secrets
Select any plaintext value in the editor, right-click → SOPS: Encrypt with SOPS. The extension:
- Asks for the SOPS key path (e.g.
$.postgres.password or inventory.db.password)
- Encrypts the value with
sops set
- Replaces the selected text with the lookup expression
Requirements
sops CLI must be installed and available in PATH- A
.sops.yaml configuration file must be present in the workspace root
- Age or GPG keys must be configured for decryption
Configuration
| Setting |
Default |
Description |
punkteroSops.secretsFiles |
.secrets/*.sops.yml |
Glob pattern for SOPS files relative to workspace root |
How it works
The extension calls sops -d <file> for each matching file and parses the decrypted YAML in memory. Nothing is written to disk. The decrypted data is cached for 30 seconds to avoid repeated subprocess calls on every hover or tree refresh.
