getsops · bruce-szalwinski-he · Sep 7, 2025 · Sep 20, 2025 · Sep 20, 2025 · Sep 20, 2025
diff --git a/README.rst b/README.rst
@@ -1215,15 +1215,28 @@ This command requires a ``.sops.yaml`` configuration file. Below is an example:
           vault_kv_version: 2 # default
           path_regex: vault/*
           omit_extensions: true
+        - aws_secrets_manager_secret_name: "my-secret"
+          aws_region: "us-west-2"
+          path_regex: aws-secrets/*
+        - aws_parameter_store_path: "/sops/"
+          aws_region: "us-west-2"
+          path_regex: aws-params/*
 
 The above configuration will place all files under ``s3/*`` into the S3 bucket ``sops-secrets``,
-all files under ``gcs/*`` into the GCS bucket ``sops-secrets``, and the contents of all files under
-``vault/*`` into Vault's KV store under the path ``secrets/sops/``. For the files that will be
-published to S3 and GCS, it will decrypt them and re-encrypt them using the
-``F69E4901EDBAD2D1753F8C67A64535C4163FB307`` pgp key.
+all files under ``gcs/*`` into the GCS bucket ``sops-secrets``, the contents of all files under
+``vault/*`` into Vault's KV store under the path ``secrets/sops/``, files under ``aws-secrets/*``
+into AWS Secrets Manager as JSON secrets, and files under ``aws-params/*`` into AWS Parameter Store
+as SecureString parameters. For the files that will be published to S3 and GCS, it will decrypt them 
+and re-encrypt them using the ``F69E4901EDBAD2D1753F8C67A64535C4163FB307`` pgp key. Files published to Vault
+will be decrypted and stored as JSON data encrypted by Vault. Files published to AWS Secrets Manager and AWS Parameter Store 
+will be decrypted and stored as JSON data encrypted by AWS KMS.
 
 You would deploy a file to S3 with a command like: ``sops publish s3/app.yaml``
 
+Similarly, you can publish to AWS Secrets Manager: ``sops publish aws-secrets/database-config.yaml``
+
+Or to AWS Parameter Store: ``sops publish aws-params/app-config.yaml``
+
 To publish all files in selected directory recursively, you need to specify ``--recursive`` flag.
 
 If you don't want file extension to appear in destination secret path, use ``--omit-extensions``
@@ -1275,6 +1288,77 @@ Below is an example of publishing to Vault (using token auth with a local dev in
     example_number    42
     example_string    bar
 
+Publishing to AWS Secrets Manager
+**********************************
+
+AWS Secrets Manager is a service that helps you protect secrets needed to access your applications,
+services, and IT resources. SOPS can publish decrypted data directly to AWS Secrets Manager as JSON secrets.
+
+There are a few settings for AWS Secrets Manager that you can place in your destination rules:
+
+* ``aws_secrets_manager_secret_name`` - The name of the secret in AWS Secrets Manager. If not specified, the filename will be used as the secret name.
+* ``aws_region`` - The AWS region where the secret should be stored. This is required.
+
+SOPS uses the AWS SDK for Go v2, which automatically uses your configured AWS credentials from the AWS CLI,
+environment variables, or IAM roles.
+
+If the destination secret already exists in AWS Secrets Manager and contains the same data as the source
+file, it will be skipped to avoid creating unnecessary versions.
+
+Note: Recreation rules (re-encryption with different keys) are not supported for AWS Secrets Manager.
+The data is decrypted from the source file and stored as plaintext JSON in the secret.
+
+Below is an example of publishing to AWS Secrets Manager:
+
+.. code:: sh
+
+    $ export AWS_REGION=us-west-2
+    $ sops decrypt aws-secrets/database-config.yaml
+    database:
+        host: db.example.com
+        port: 5432
+        username: myuser
+        password: mypassword
+    $ sops publish aws-secrets/database-config.yaml
+    uploading /home/user/sops_directory/aws-secrets/database-config.yaml to AWS Secrets Manager secret database-config in us-west-2 ? (y/n): y
+    Successfully created secret database-config
+
+Publishing to AWS Parameter Store
+**********************************
+
+AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data
+and secrets management. SOPS can publish decrypted data directly to Parameter Store as JSON parameters encrypted by AWS KMS.
+
+There are a few settings for AWS Parameter Store that you can place in your destination rules:
+
+* ``aws_parameter_store_path`` - The parameter path in AWS Parameter Store. If it ends with ``/``, the filename will be appended. If not specified, the filename will be used as the parameter name with a leading ``/``.
+* ``aws_region`` - The AWS region where the parameter should be stored. This is required.
+
+All parameters are stored as ``SecureString`` type for security, since SOPS files may contain sensitive data.
+
+SOPS uses the AWS SDK for Go v2, which automatically uses your configured AWS credentials from the AWS CLI,
+environment variables, or IAM roles.
+
+If the destination parameter already exists in AWS Parameter Store and contains the same data as the source
+file, it will be skipped to avoid creating unnecessary versions.
+
+Note: Recreation rules (re-encryption with different keys) are not supported for AWS Parameter Store.
+The data is decrypted from the source file and stored as JSON in the SecureString parameter, encrypted by AWS KMS.
+
+Below is an example of publishing to AWS Parameter Store:
+
+.. code:: sh
+
+    $ export AWS_REGION=us-west-2
+    $ sops decrypt aws-params/app-config.yaml
+    app:
+        debug: false
+        database_url: postgres://user:pass@localhost/db
+        api_key: secret-api-key
+    $ sops publish aws-params/app-config.yaml
+    uploading /home/user/sops_directory/aws-params/app-config.yaml to AWS Parameter Store parameter /app-config in us-west-2 ? (y/n): y
+    Successfully created parameter /app-config
+
 
 Important information on types
 ------------------------------

diff --git a/cmd/sops/subcommand/publish/publish.go b/cmd/sops/subcommand/publish/publish.go
@@ -137,7 +137,7 @@ func Run(opts Opts) error {
 				return fmt.Errorf("could not read file: %s", err)
 			}
 		}
-	case *publish.VaultDestination:
+	case *publish.VaultDestination, *publish.AWSSecretsManagerDestination, *publish.AWSParameterStoreDestination:
 		_, err = common.DecryptTree(common.DecryptTreeOpts{
 			Cipher:          opts.Cipher,
 			IgnoreMac:       false,
@@ -177,7 +177,7 @@ func Run(opts Opts) error {
 	switch dest := conf.Destination.(type) {
 	case *publish.S3Destination, *publish.GCSDestination:
 		err = dest.Upload(fileContents, destinationPath)
-	case *publish.VaultDestination:
+	case *publish.VaultDestination, *publish.AWSSecretsManagerDestination, *publish.AWSParameterStoreDestination:
 		err = dest.UploadUnencrypted(data, destinationPath)
 	}
 

diff --git a/config/config.go b/config/config.go
@@ -156,17 +156,22 @@ type azureKVKey struct {
 }
 
 type destinationRule struct {
-	PathRegex        string       `yaml:"path_regex"`
-	S3Bucket         string       `yaml:"s3_bucket"`
-	S3Prefix         string       `yaml:"s3_prefix"`
-	GCSBucket        string       `yaml:"gcs_bucket"`
-	GCSPrefix        string       `yaml:"gcs_prefix"`
-	VaultPath        string       `yaml:"vault_path"`
-	VaultAddress     string       `yaml:"vault_address"`
-	VaultKVMountName string       `yaml:"vault_kv_mount_name"`
-	VaultKVVersion   int          `yaml:"vault_kv_version"`
-	RecreationRule   creationRule `yaml:"recreation_rule,omitempty"`
-	OmitExtensions   bool         `yaml:"omit_extensions"`
+	PathRegex                   string       `yaml:"path_regex"`
+	S3Bucket                    string       `yaml:"s3_bucket"`
+	S3Prefix                    string       `yaml:"s3_prefix"`
+	GCSBucket                   string       `yaml:"gcs_bucket"`
+	GCSPrefix                   string       `yaml:"gcs_prefix"`
+	VaultPath                   string       `yaml:"vault_path"`
+	VaultAddress                string       `yaml:"vault_address"`
+	VaultKVMountName            string       `yaml:"vault_kv_mount_name"`
+	VaultKVVersion              int          `yaml:"vault_kv_version"`
+	RecreationRule              creationRule `yaml:"recreation_rule,omitempty"`
+	OmitExtensions              bool         `yaml:"omit_extensions"`
+	AWSSecretsManagerRegion     string       `yaml:"aws_secrets_manager_region"`
+	AWSSecretsManagerSecretName string       `yaml:"aws_secrets_manager_secret_name"`
+	AWSParameterStoreRegion     string       `yaml:"aws_parameter_store_region"`
+	AWSParameterStorePath       string       `yaml:"aws_parameter_store_path"`
+	AWSParameterStoreType       string       `yaml:"aws_parameter_store_type"`
 }
 
 type creationRule struct {
@@ -523,6 +528,13 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 		destinationCount++
 	}
 
+	if dRule.AWSSecretsManagerRegion != "" {
+		destinationCount++
+	}
+	if dRule.AWSParameterStoreRegion != "" {
+		destinationCount++
+	}
+
 	if destinationCount > 1 {
 		return nil, fmt.Errorf("error loading config: more than one destinations were found in a single destination rule, you can only use one per rule")
 	}
@@ -535,6 +547,12 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 	if dRule.VaultPath != "" {
 		dest = publish.NewVaultDestination(dRule.VaultAddress, dRule.VaultPath, dRule.VaultKVMountName, dRule.VaultKVVersion)
 	}
+	if dRule.AWSSecretsManagerRegion != "" {
+		dest = publish.NewAWSSecretsManagerDestination(dRule.AWSSecretsManagerRegion, dRule.AWSSecretsManagerSecretName)
+	}
+	if dRule.AWSParameterStoreRegion != "" {
+		dest = publish.NewAWSParameterStoreDestination(dRule.AWSParameterStoreRegion, dRule.AWSParameterStorePath)
+	}
 
 	config, err := configFromRule(rule, kmsEncryptionContext)
 	if err != nil {

diff --git a/config/config_aws_test.go b/config/config_aws_test.go
@@ -0,0 +1,123 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var sampleConfigWithAWSSecretsManagerDestinationRules = []byte(`
+creation_rules:
+  - path_regex: foobar*
+    kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    aws_secrets_manager_secret_name: "myapp/database"
+    path_regex: "^secrets/.*"
+  - aws_secrets_manager_region: "us-west-2"
+    path_regex: "^west-secrets/.*"
+`)
+
+var sampleConfigWithAWSParameterStoreDestinationRules = []byte(`
+creation_rules:
+  - path_regex: foobar*
+    kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+destination_rules:
+  - aws_parameter_store_region: "us-east-1"
+    aws_parameter_store_path: "/myapp/config"
+    aws_parameter_store_type: "SecureString"
+    path_regex: "^parameters/.*"
+  - aws_parameter_store_region: "us-west-2"
+    aws_parameter_store_path: "/myapp/west/"
+    aws_parameter_store_type: "String"
+    path_regex: "^west-parameters/.*"
+`)
+
+var sampleConfigWithMixedAWSDestinationRules = []byte(`
+creation_rules:
+  - path_regex: foobar*
+    kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    aws_secrets_manager_secret_name: "myapp/database"
+    path_regex: "^secrets/.*"
+  - aws_parameter_store_region: "us-east-1"
+    aws_parameter_store_path: "/myapp/config"
+    path_regex: "^parameters/.*"
+  - s3_bucket: "mybucket"
+    path_regex: "^s3/.*"
+`)
+
+func TestLoadConfigFileWithAWSSecretsManagerDestinationRules(t *testing.T) {
+	conf, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAWSSecretsManagerDestinationRules, t), "secrets/database.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	path := conf.Destination.Path("database.yaml")
+	assert.Contains(t, path, "arn:aws:secretsmanager:us-east-1:*:secret:myapp/database")
+
+	// Test with region but no specific secret name - this should match the second rule
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAWSSecretsManagerDestinationRules, t), "west-secrets/api.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	path = conf.Destination.Path("api.yaml")
+	assert.Contains(t, path, "arn:aws:secretsmanager:us-west-2:*:secret:api.yaml")
+}
+
+func TestLoadConfigFileWithAWSParameterStoreDestinationRules(t *testing.T) {
+	conf, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAWSParameterStoreDestinationRules, t), "parameters/app.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Equal(t, "/myapp/config", conf.Destination.Path("app.yaml"))
+
+	// Test with path ending with slash
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAWSParameterStoreDestinationRules, t), "west-parameters/config.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Equal(t, "/myapp/west/config.yaml", conf.Destination.Path("config.yaml"))
+}
+
+func TestLoadConfigFileWithMixedAWSDestinationRules(t *testing.T) {
+	// Test AWS Secrets Manager
+	conf, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithMixedAWSDestinationRules, t), "secrets/database.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("database.yaml"), "arn:aws:secretsmanager:us-east-1:*:secret:myapp/database")
+
+	// Test AWS Parameter Store
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithMixedAWSDestinationRules, t), "parameters/config.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Equal(t, "/myapp/config", conf.Destination.Path("config.yaml"))
+
+	// Test S3
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithMixedAWSDestinationRules, t), "s3/backup.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("backup.yaml"), "s3://mybucket/backup.yaml")
+}
+
+func TestValidateMultipleDestinationsInRule(t *testing.T) {
+	invalidConfig := []byte(`
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    aws_parameter_store_region: "us-east-1"
+    path_regex: "^invalid/.*"
+`)
+
+	_, err := parseDestinationRuleForFile(parseConfigFile(invalidConfig, t), "invalid/test.yaml", nil)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "more than one destinations were found")
+}
+
+func TestValidateConflictingAWSDestinations(t *testing.T) {
+	invalidConfig := []byte(`
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    s3_bucket: "mybucket"
+    path_regex: "^invalid/.*"
+`)
+
+	_, err := parseDestinationRuleForFile(parseConfigFile(invalidConfig, t), "invalid/test.yaml", nil)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "more than one destinations were found")
+}