sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Respect aws_profile from Keygroup Config

Open Kouzukii opened this issue 3 years ago • 6 comments

A KMS entry in a creation_rule keygroup supports setting aws_profile, but the value is not passed into the KMS MasterKey.

Kouzukii avatar May 02 '22 17:05 Kouzukii

I can confirm that this patch fixes the bug that prevents aws_profile from working when defined in a keygroup.

sample .sops.yml

---
creation_rules:
  - key_groups:
      - kms:
        - arn: arn:aws:kms:eu-west-1......
          aws_profile: my-profile

With latest master branch or release version 2.7.3

$ sops --verbose test2.sops.yml
[AWSKMS]         INFO[0006] Encryption failed                             arn="arn:aws:kms:eu-west-1:...redacted..."
Error encrypting the data key with one or more master keys: [failed to encrypt new data key with master key "arn:aws:kms:eu-west-1:...redacted...": Failed to call KMS encryption service: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors]

With this patch applied

$ /workspace/go/bin/sops --verbose test2.sops.yml
[AWSKMS]         INFO[0000] Encryption succeeded                          arn="arn:aws:kms:eu-west-1:...redacted..."
[CMD]    INFO[0002] File written successfully

abeluck avatar Jun 30 '22 12:06 abeluck

Oh this was the issue I had here. Would love to see it merged :)

WillerWasTaken avatar Jul 26 '22 13:07 WillerWasTaken

Any chance somehow can review/approve ? this would be very useful

jgournet avatar Aug 25 '22 22:08 jgournet

@Kouzukii can you change this to be against develop instead of master?

ajvb avatar Sep 01 '22 19:09 ajvb

@ajvb done

Kouzukii avatar Sep 01 '22 21:09 Kouzukii

almost there :) can someone review it please ?

jgournet avatar Sep 21 '22 05:09 jgournet

@ajvb : Could you review this PR please ?

jgournet avatar Nov 15 '22 05:11 jgournet

bump

enchorb avatar Nov 25 '22 18:11 enchorb