sops
sops copied to clipboard
getsops
error loading config: no matching creation rules found when encryption with inline key parameters (eg: `--age` `--kms`)
Running following command in a directory doesn't contain .sops.yaml:
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret.json
got results:
error loading config: no matching creation rules found
This is clearly a bug since creation rules should not be required when specific key is provided.
Affect:
- It's not back-compatible with old shell script that using env_var then for loop all files in dir to encrypt
===
SOPS version: sops 3.9.4
I can't reproduce the issue in a clean directory:
$ mkdir /tmp/reproduce
$ cd /tmp/reproduce
$ echo '{"test": "value"}' > mysecret.json
$ sops --version
sops 3.9.4 (latest)
$ sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret.json
{
"test": "ENC[AES256_GCM,data:nbFjo0s=,iv:a1bYzjEVI+yGMD7VNtFU3OgAl5QJ6tbRj1ofIjvIZNo=,tag:SuyEWzpjFBmGaBYLtWsDcg==,type:str]",
"sops": {
...
}
}
Would you have something in your environment variables?
env | grep -i sops
I've already use it without any errors. Maybe i'm wrong although in history | grep i tried this many times yesterday
Do you have a .sops.yaml in the directory or somewhere further up the tree? @duthils's reproducer likely won't have one (usually you don't have a SOPS config in / or /tmp/), but depending on where you run sops you might have one.
@felixfontein @duthils
You're right. It's only throw error when there's .sops.yaml in the parent directory. Howerver, it's only error in some cases .sops.yaml not contain sub-dir. It's hard to describe in English but I give you some test cases and you can reproduce
I reproduce in below step
Test case
Prepare a directory for testing => Remove $HOME/dosthsops for cleaning
cd $HOME
mkdir dosthsops
cd dosthsops
touch .sops.yaml
echo '{"test": "value"}' > mysecret1.json
mkdir not-registed-path && echo '{"test": "value"}' > not-registed-path/mysecret2.json
mkdir registed-path && echo '{"test": "value"}' > registed-path/mysecret3.json
test case 1: -> .sops.yaml is a empty file
cd $HOME/dosthsops
rm .sops.yaml
touch .sops.yaml
echo
echo "secret1"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret1.json
echo
echo "secret2"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e not-registed-path/mysecret2.json
echo
echo "cd && secret2"
cd not-registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret2.json
cd -
echo
echo "secret3"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e registed-path/mysecret3.json
echo
echo "cd && secret3"
cd registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret3.json
cd -
test case 2: -> .sops.yaml has empty rules
cd $HOME/dosthsops
rm .sops.yaml
cat >> .sops.yaml<< EOF
creation_rules: []
EOF
echo
echo "secret1"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret1.json
echo
echo "secret2"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e not-registed-path/mysecret2.json
echo
echo "cd && secret2"
cd not-registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret2.json
cd -
echo
echo "secret3"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e registed-path/mysecret3.json
echo
echo "cd && secret3"
cd registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret3.json
cd -
test case 3: -> .sops.yaml has a rule matching with sub-dir
cd $HOME/dosthsops
rm .sops.yaml
cat >> .sops.yaml<< EOF
creation_rules:
- path_regex: registed-path/.*\.(json|yaml|yml|env|txt)$
age: "age15sq7kls08hzq8djpn26dda0fna3ccnw038568gcul9amjjjdaedq4xg2rr"
encrypted_regex: "^(data|stringData)$"
EOF
echo
echo "secret1"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret1.json
echo
echo "secret2"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e not-registed-path/mysecret2.json
echo
echo "cd && secret2"
cd not-registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret2.json
cd -
echo
echo "secret3"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e registed-path/mysecret3.json
echo
echo "cd && secret3"
cd registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret3.json
cd -
test case 3: -> .sops.yaml has rules but not matching with any sub-dir
cd $HOME/dosthsops
rm .sops.yaml
cat >> .sops.yaml<< EOF
creation_rules:
- path_regex: something-else/.*\.(json|yaml|yml|env|txt)$
age: "age15sq7kls08hzq8djpn26dda0fna3ccnw038568gcul9amjjjdaedq4xg2rr"
encrypted_regex: "^(data|stringData)$"
EOF
echo
echo "secret1"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret1.json
echo
echo "secret2"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e not-registed-path/mysecret2.json
echo
echo "cd && secret2"
cd not-registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret2.json
cd -
echo
echo "secret3"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e registed-path/mysecret3.json
echo
echo "cd && secret3"
cd registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret3.json
cd -
Result
- testcase 1&3 -> ok
- testcase 2&4 -> error
I'm also facing this exact problem.
However, in my case, the --output option is also involved and one would expect that value to be matched against the creation rules but it isn't.
