getsops
sending method as msi but it is using az cli
Discussed in https://github.com/getsops/sops/discussions/1231
Originally posted by sumanth342 June 29, 2023 sending method as msi but it is using az cli
Group 0: FAILED │ https://myvault.vault.azure.net/keys/sops-key/: FAILED │ - | Invoking Azure CLI failed with the following error: exec: │ | "az": executable file not found in $PATH │ │ Recovery failed because no master key was able to decrypt the file. In │ order for SOPS to recover the file, at least one key has to be successful, │ but none were. │ │ with data.sops_file.demo-secret, │ on main.tf line 20, in data "sops_file" "demo-secret": │ 20: data "sops_file" "demo-secret" {
More context:
Running AKS cluster and running atlantis to manage TF. Terraform deploys apps to a cluster w/helm and we use Azure KeyVault for the secrets that we encode. We use the Sops TF provider around it.
The other part is we are leveraging Azure Webhook Identity (azure pod identity replacement) to use to bind OIDC auth tokens for a ServiceAccount with an Azure Managed Identity.
The error above is that what happens during a terraform plan - sops cannot auth with azure and sops is trying to leverage az cli as opposed to msi method of auth.
Even if we set ENV Vars in the pod (as per doc) to set AUTH_METHOD=msi - it still fails. It's unclear where the problem lies - but the azure provider works with auth but sops fails to pickup the env vars in the pod. I know it's the sops tf provider which isn't supported by you, but from my understanding, it looks like the provider is just a wrapper around sops. Chicken and the egg.
Hopefully this helps.
I suspect this to be solved in v3.8.0, while taking into account some edge case details as described in https://github.com/getsops/sops/issues/1316#issuecomment-1750810101.
