sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

Sops unable to decrypt using azure keyvault key

Open cbcoutinho opened this issue 2 years ago • 0 comments

We use sops in Azure Pipelines using a Service Principal to decrypt some ciphertext prior to deploying infrastructure using Terraform. For about a week now, sops is unable to decrypt the file due to a token refresh error. I've tested this on both 3.7.1 and 3.7.2 - 3.7.2 worked a few days ago.

+ sops exec-file config/backend-config.enc 'terraform init -backend-config={}'
[AZKV]	 time="2022-04-10T17:20:57Z" level=error msg="Decryption failed" error="azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://{{ key vault name }}.vault.azure.net/keys/{{ sops_key_name }}/{{ sops_key_id }}/decrypt?api-version=2016-10-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {\"error\":\"invalid_request\",\"error_description\":\"AADSTS900023: Specified tenant identifier '{{ tenant uuid }}'' is neither a valid DNS name, nor a valid external domain.\\r\\nTrace ID: {{ trace_uuid }}\\r\\nCorrelation ID: {{ correlation_uuid }}\\r\\nTimestamp: 2022-04-10 17:20:57Z\",\"error_codes\":[900023],\"timestamp\":\"2022-04-10 17:20:57Z\",\"trace_id\":\"{{ trace_uuid }}\",\"correlation_id\":\"{{ correlation_uuid }}\",\"error_uri\":\"https://login.microsoftonline.com/error?code=900023\"}" key={{ sops_key_name }} version={{ sops_key_id }}
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  https://{{ key vault name }}.vault.azure.net/keys/{{ sops_key_name }}/{{ sops_key_id }}: FAILED
    - | Error decrypting key:
      | azure.BearerAuthorizer#WithAuthorization: Failed to refresh
      | the Token for request to
      | https://{{ key vault name }}.vault.azure.net/keys/{{ sops_key_name }}/{{ sops_key_id }}/decrypt?api-version=2016-10-01:
      | StatusCode=400 -- Original Error: adal: Refresh request
      | failed. Status Code = '400'. Response body:
      | {"error":"invalid_request","error_description":"AADSTS900023:
      | Specified tenant identifier
      | '{{ tenant uuid }}'' is neither a valid
      | DNS name, nor a valid external domain.\r\nTrace ID:
      | {{ trace_uuid }}\r\nCorrelation ID:
      | {{ correlation_uuid }}\r\nTimestamp:
      | 2022-04-10
      | 17:20:57Z","error_codes":[900023],"timestamp":"2022-04-10
      | 17:20:57Z","trace_id":"{{ trace_uuid }}","correlation_id":"{{ correlation_uuid }}","error_uri":"https://login.microsoftonline.com/error?code=900023"}

It's not clear to me why the tenant uuid is being used as a domain name by sops, or what the issue is regarding refresh tokens. I don't see any errors in the access logs for the SP - I see that the SP used to be able to authenticate and then decrypt the key; however, in the last couple days sops is only able to authenticate before throwing the above error

cbcoutinho avatar Apr 10 '22 18:04 cbcoutinho