Main Novops config file
Global configurations for Novops and modules
Global Novops configuration defining behavior for modules
AWS module configs
Global AWS config
Override endpoint for all AWS services Can be used with tools like LocalStack, for example http://localhost:4566/
AWS SDK identity cache configuration
AWS SDK identity cache configuration
Timeout to load identity (in seconds, default: 5s). Useful when asking for MFA authentication which may take more than 5 seconds for user to input.
AWS Profile name. Must exist locally in AWS config.
It's advised not to use this directly as profile name configuration is higly dependent on local configuration. Prefer using AWS_PROFILE environment variable where needed.
AWS region to use. Default to currently configured region.
Novops default configurations
Default environment name, selected by default if no user input is provided
Hashicorp Vault module configs
Address in form http(s)://HOST:PORT
Example: https://vault.mycompany.org:8200
Vault authentication to use when a token is not provided
Vault namespace to use
Vault client timeout in seconds. Default to 60s.
Vault token as plain string
Use for testing only. DO NOT COMMIT NOVOPS CONFIG WITH THIS SET.
Vault token path.
Example: /var/secrets/vault-token
Whether to enable TLS verify (true by default)
Source of truth defining files and variables loaded by Novops
Environments are named uniquely (such as "dev", "prod"...) to allow for different configs to be loaded in various contexts
Each additional property must conform to the following schema
Type: objectModules to be loaded for an environment. Each module defines one or more Input which will be resolved into Outputs (files & variables)
Assume an AWS Role from local config.
Outputs environment variables AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
and AWS_SESSION_TOKEN
with temporary credentials for IAM Role.
Assume an IAM Role
Duration of the role session (seconds). Can range from 900 seconds up to the maximum session duration set for the role. Default to 1h (3600).
Full IAM Role ARN
Source profile. Must exist in config.
Files resolving to concrete files on local filesystem and environment variables pointing to file
No Additional ItemsFile content
Reference an AWS Secret Manager secret
Structure to request a Secrets Manager secret
Maps directly to GetSecretValue API. See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
Secret ID
The unique identifier of the version of the secret to retrieve.
The staging label of the version of the secret to retrieve.
Reference Secret Manager secret
Structure to request a GCloud Secret Manager secret
See https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/get
Name of the secret in the format projects/*\/secrets/*\/versions/* Such as projects/my-org-project/secrets/my-secret/latest
Or projects/my-org-project/secrets/my-secret/42
for a specific version
Whether to validate crc32c checksum provided with secret (default: true)
All possible inputs resolving to a string value
A BitWarden secret reference
A BitWarden entry
Entry name
Field in entry to use as value.
Reference a Key Value V2 secret
Reference a Key Value V2 secret
Secret key to retrieve
KV v2 mount point
default to "secret/"
Path to secret
Reference a Key Value V1 secret
Reference a Key Value V1 secret
Secret key to retrieve
KV v1 mount point
default to "kv/"
Path to secret
Reference an SSM Parameter config or secret
Reference an SSM Parameter config or secret
Maps directly to GetParameter API. See https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html
Parameter name
Return decrypted values for secure string parameters. This flag is ignored for String and StringList parameter types.
Reference an AWS Secret Manager secret
Structure to request a Secrets Manager secret
Maps directly to GetSecretValue API. See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
Secret ID
The unique identifier of the version of the secret to retrieve.
The staging label of the version of the secret to retrieve.
Reference Secret Manager secret
Structure to request a GCloud Secret Manager secret
See https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/get
Name of the secret in the format projects/*\/secrets/*\/versions/* Such as projects/my-org-project/secrets/my-secret/latest
Or projects/my-org-project/secrets/my-secret/42
for a specific version
Whether to validate crc32c checksum provided with secret (default: true)
Reference an Azure Keyvault secret
Maps directly to Keyvault Get Secret API
See https://learn.microsoft.com/en-us/rest/api/keyvault/secrets/get-secret/get-secret?tabs=HTTP
Secret name
Secret's vault name
Secret's version (default: latest)
SOPS input to be used as file, variables or other kind of value input
Additional flags passed to sops after --decrypt --extract
No Additional ItemsExtract a specific field via --extract flag
Path to encrypted file
Reference an S3 object
Reference an S3 object
S3 bucket name
S3 object key
Optional bucket region name
DEPRECATED: dest
is insecure as generated file may be written in insecure directory and/or persist on disk. Use symlink
instead to create a symbolic link pointing to generated file in secure Novops secure directory.
Destination where file will be generated. Default to secure Novops working directory.
Setting this value may prevent file from being auto-deleted as it won't be managed in a safe location and may remain indefinitely.
File name to use when auto-generating file and variable name. if not set, the YAML key for file will be used
Creates a symbolic link pointing to generated file. If a file already exists
Concrete file is still generated in secure Novops working directory, created symlink will point to concrete file.
For example, symlink: "./mytoken"
will create a symlink at "./mytoken" which can be used to read file directly.
If a file already exists at symlink's destination and is NOT a symlink, Novops will fail.
See also variable
to generate an environment variable pointing to file in secure Novops working directory.
Environment variable name pointing to generated file.
Example: setting NPM_TOKEN
will output an environment variable pointing to file path such as
NPM_TOKEN: /run/user/1000/novops/dev/file_xxx
See also symlink
to create a symlink pointing to file in secure Novops working directory;
Reference one or more Hashicorp Vault Secret Engines to generate either files or variables.
Use Vault AWS Secret Engine to generate temporary AWS credentials.
Secret Engine mount point. Default to 'aws'.
Vault role name
AWS IAM Role ARN
Session name
Generated token time to live. Example: "3600s"
Reference SOPS encrypted file(s) as dotenv to load variables
No Additional ItemsSOPS input directly under an environment to load file content as environment variables Encrypted SOPS files must be in a valid dotenv format
Additional flags passed to sops
No Additional ItemsExtract a specific field via --extract flag
Path to encrypted file
Variables resolving to environment variables from provided source
No Additional ItemsEnvironment variable name, such as NPM_TOKEN
Source of truth for variable
A BitWarden secret reference
A BitWarden entry
Entry name
Field in entry to use as value.
Reference a Key Value V2 secret
Reference a Key Value V2 secret
Secret key to retrieve
KV v2 mount point
default to "secret/"
Path to secret
Reference a Key Value V1 secret
Reference a Key Value V1 secret
Secret key to retrieve
KV v1 mount point
default to "kv/"
Path to secret
Reference an SSM Parameter config or secret
Reference an SSM Parameter config or secret
Maps directly to GetParameter API. See https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html
Parameter name
Return decrypted values for secure string parameters. This flag is ignored for String and StringList parameter types.
Reference an AWS Secret Manager secret
Structure to request a Secrets Manager secret
Maps directly to GetSecretValue API. See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
Secret ID
The unique identifier of the version of the secret to retrieve.
The staging label of the version of the secret to retrieve.
Reference Secret Manager secret
Structure to request a GCloud Secret Manager secret
See https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/get
Name of the secret in the format projects/*\/secrets/*\/versions/* Such as projects/my-org-project/secrets/my-secret/latest
Or projects/my-org-project/secrets/my-secret/42
for a specific version
Whether to validate crc32c checksum provided with secret (default: true)
Reference an Azure Keyvault secret
Maps directly to Keyvault Get Secret API
See https://learn.microsoft.com/en-us/rest/api/keyvault/secrets/get-secret/get-secret?tabs=HTTP
Secret name
Secret's vault name
Secret's version (default: latest)
SOPS input to be used as file, variables or other kind of value input
Additional flags passed to sops after --decrypt --extract
No Additional ItemsExtract a specific field via --extract flag
Path to encrypted file
Reference an S3 object
Reference an S3 object
S3 bucket name
S3 object key
Optional bucket region name
Application name. Informational only.
If not specified, use current directory name