This release adds Proton Pass as a new secrets provider, introduces AWS profile pinning for AWS providers, and adds base64 encode/decode support for secrets. It also fixes a batch request bug in AWS Secrets Manager when multiple config keys reference the same underlying secret.
Highlights
- Proton Pass provider: Retrieve secrets from Proton Pass vaults using the
pass-cliCLI, with flexible reference formats and non-interactive auth support. - AWS Profile support: Pin AWS Parameter Store and Secrets Manager providers to a specific AWS CLI profile, eliminating reliance on the
AWS_PROFILEenvironment variable. - Base64 encode/decode: Encode secrets on write and decode them on read with new CLI flags, useful for binary or multi-line secrets stored in base64.
Added
Proton Pass provider (#292) -- Thanks @TyceHerrman!
A new read-only provider for Proton Pass, using the Proton Pass CLI (pass-cli). Supports multiple reference formats including item, item/field, vault/item/field, full pass:// URIs, and id:ITEM_ID for disambiguating duplicate item names. Authentication environment variables (PROTON_PASS_PASSWORD, PROTON_PASS_TOTP, etc.) are passed through for non-interactive use.
[providers]
protonpass = { type = "proton-pass", vault = "Personal" }
[secrets]
MY_SECRET = { provider = "protonpass", value = "item-name" }
MY_USER = { provider = "protonpass", value = "item-name/username" }
MY_FULL = { provider = "protonpass", value = "pass://Personal/item-name/password" }
# Use id: prefix for items with duplicate names
MY_DUP = { provider = "protonpass", value = "id:ITEM_ID/password" }AWS Profile support for AWS PS and Secrets Manager (#290) -- Thanks @micahvdk!
Both the AWS Parameter Store (aws-ps) and AWS Secrets Manager (aws-sm) providers now accept an optional profile field. This lets you pin a provider to a specific AWS CLI profile from ~/.aws/config, which is useful when managing secrets across multiple AWS accounts without depending on the AWS_PROFILE environment variable.
[providers]
ps = { type = "aws-ps", region = "us-east-1", profile = "prod-account", prefix = "/myapp/prod/" }
aws = { type = "aws-sm", region = "us-west-2", profile = "prod-account", prefix = "myapp/" }Base64 encode/decode for secrets (#273) -- Thanks @pitoniak32!
New CLI flags for base64 encoding and decoding secrets:
fnox set --base64-encode KEY VALUE-- base64-encodes the value before storing itfnox get --base64-decode KEY-- base64-decodes the stored value before outputting it
This is useful for secrets that contain binary data or multi-line content that needs to be stored in a base64-safe format.
Fixed
AWS Secrets Manager batch request deduplication (#296)
When multiple config keys referenced the same underlying AWS Secrets Manager secret (e.g., using json_path to extract different fields from one JSON secret), the BatchGetSecretValue API call would fail due to duplicate secret IDs. Secret IDs are now deduplicated before the batch request, and results are fanned out to all keys that reference the same secret.
New Contributors
- @pitoniak32 made their first contribution in #273
- @TyceHerrman made their first contribution in #292
- @micahvdk made their first contribution in #290
Full Changelog: v1.13.0...v1.14.0