sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Use multiple KMS keys from different AWS accounts

Open awwitecki opened this issue 5 years ago • 9 comments

I've got KMS keys on accounts A and B. I need to be able to decrypt my secrets with both A and B keys. Sadly, due to security limitations I cannot use SOPS feature which assumes AWS role with the access to other account resources.

The work around I was thinking about was:

  1. Assume role for AWS account A
  2. Create encrypted file with key A
  3. Open encrypted file for manual edition with sops -s -i <file>
  4. Add there new arn to KMS entries
  5. Assume role for AWS account B
  6. Save the file and close the editor which should trigger adding my additional KMS key from account B (I presume at this moment current encryption key is already encrypted so there's no need to reach account A since SOPS only needs to encrypt it with account B - is this correct?)

Alas, when I close the editor I receive:

[CMD]	 ERRO[0020] SOPS metadata is invalid. Press a key to return to the editor, or Ctrl+C to exit.  error="parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\""

Is it a known issue? Maybe I open it wrong. Are there any other solutions to my problem? I was also trying updatekeys and --add-kms options but these requires both AWS accounts to be reachable at the same time.

awwitecki avatar Apr 06 '20 12:04 awwitecki

The error you're getting seems to be due to a missing field containing the key's update time, probably in the key you've added.

I'd do it this way:

  1. Create file encrypted with PGP (ideally with a temporary key)
  2. Assume role for AWS account A
  3. Add KMS key A to file with sops updatekeys
  4. Assume role for AWS account B
  5. Add KMS key B to file with sops updatekeys
  6. Remove PGP key from file, and ideally delete the PGP private key.

This should work AFAICT. SOPS should not need to touch key A on step 5. You should just need a single key to always be available for decryption (which is what the PGP key achieves).

autrilla avatar Apr 06 '20 13:04 autrilla

Unfortunately this approach doesn't work. SOPS detects an addition of new KMS key from account B, but it still wants to re-encrypt the existing data key so it also wants to use the one from account A:

2020/04/06 17:44:23 Syncing keys for file <file>
The following changes will be made to the file's groups:
Group 1
    <PGP_FP>
    <Account A KMS key ARN>
+++ <Account B KMS key ARN>
error updating one or more master keys: [failed to encrypt new data key with master key "<Account A KMS key ARN>": Failed to call KMS encryption service: AccessDeniedException:
	status code: 400, request id: ...]

awwitecki avatar Apr 06 '20 15:04 awwitecki

That's definitely a bug. SOPS should not need to encrypt with that key again. It appears we already have https://github.com/mozilla/sops/issues/442 open for this issue. Have you tested whether --add-kms breaks like this as well? I would expect it to break for the case you mentioned originally, but not for the process I suggested. If it doesn't work either, we should expand #442 to include --add-kms as well.

autrilla avatar Apr 06 '20 16:04 autrilla

For sops -r -i --add-kms "<Account B KMS key ARN>" <file> things are getting even more interesting. The outcome is an empty file. No output messages. echo $? states 0. Btw. sops -v gives me sops 3.5.0 (latest)

awwitecki avatar Apr 06 '20 16:04 awwitecki

Ah, using -r is going to break because it will rotate the data key and that does require reencryption.

And -r/--rotate is the only mode --add-kms works with :(.

autrilla avatar Apr 06 '20 16:04 autrilla

For sops -r -i --add-kms "<Account B KMS key ARN>" <file> things are getting even more interesting. The outcome is an empty file. No output messages. echo $? states 0. Btw. sops -v gives me sops 3.5.0 (latest)

Try passing in --aws-profile along with the kms key

gregorygtseng avatar Jan 14 '21 02:01 gregorygtseng

Try passing in --aws-profile along with the kms key

this worked for me - the above issues also all replicated

dkotik avatar Feb 19 '21 08:02 dkotik

Same issue with sops 3.5.0. Only single kms entry working, it's caching this somehow and if you want to use separate kms, it will always read inital key.

Upgrading to >=v3.6.1 works!

rawc0der avatar Apr 09 '21 15:04 rawc0der

Hello everyone.

I'm not sure if this is a regression, but updatekeys command in version 3.9.4 fails, when multiple Amazon KMS keys from different accounts are used:

$ cat .sops.yaml
creation_rules:
  - pgp: >-
      F745[REDACTED]
    kms: >-
      arn:aws:kms:eu-central-1:ACCOUNT_A:alias/sops,
      arn:aws:kms:eu-central-1:ACCOUNT_B:alias/sops

$ sops updatekeys vendors.yaml
2025/02/27 16:33:32 Syncing keys for file vendors.yaml
The following changes will be made to the file's groups:
Group 1
    F745[REDACTED]
    arn:aws:kms:eu-central-1:ACCOUNT_A:alias/sops
+++ arn:aws:kms:eu-central-1:ACCOUNT_B:alias/sops
Is this okay? (y/n):y

Error:

error updating one or more master keys: [failed to encrypt new data key with master key "arn:aws:kms:eu-central-1:ACCOUNT_A:alias/sops": failed to encrypt sops data key with AWS KMS: operation error KMS: Encrypt, https response error StatusCode: 400, RequestID: 8a7a02b3-[REDACTED], api error AccessDeniedException: User: arn:aws:sts::ACCOUNT_B:assumed-role/[REDACTED] is not authorized to perform: kms:Encrypt on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access]

dytyniuk avatar Feb 27 '25 15:02 dytyniuk