sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

AWS SSO Users cannot encrypt/decrypt files using KMS Keys

Open sahangunathilaka opened this issue 5 years ago • 14 comments

Scenario I have configured a profile for an AWS SSO User in AWS CLI (version 2.0.10). This SSO User has administrative access permission in the AWS Account. I have created a KMS Key and AWS IAM Role which was automatically created for this AWS SSO User (based on the permission set) has been added to the key policy to allow following actions.

"Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
"Resource": "*"

Problem Cannot encrypt files with this AWS SSO User. I tried both ways to point the key ARN such as exporting SOPS_KMS_ARN environment variable and also providing it directly with --kms <arn-of-the-key>. Commands were executed in verbose mod to see logs too. The error appears as below.

[AWSKMS] INFO[0012] Encryption failed arn="arn:aws:kms:<region>:<account-id>:key/<key-id>" Error encrypting the data key with one or more master keys: [failed to encrypt new data key with master key "arn:aws:kms:<region>:<account-id>:key/<key-id>": Failed to call KMS encryption service: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors]

I have given the KMS Key ARN in the correct way and everything works for AWS IAM Users. The issue is only when using AWS SSO Users. Is there anything related to this situation?

SOPS Version: 3.5.0

sahangunathilaka avatar Sep 02 '20 09:09 sahangunathilaka

Workaround: create the ~/.aws/credentials file (EDIT: also work with exported variables) using your SSO login page and selecting "Command line or programmatic access".

See:

  1. https://aws.amazon.com/blogs/security/aws-single-sign-on-now-enables-command-line-interface-access-for-aws-accounts-using-corporate-credentials/
  2. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

To me, this is a workaround, I think that sops should support AWS sso "temporary credentials" as per: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#sso-using-profile

filippobuletto avatar Oct 02 '20 13:10 filippobuletto

Thanks for the workaround @filippobuletto It is working with exported variables!

sahangunathilaka avatar Oct 05 '20 03:10 sahangunathilaka

see also aws2-wrap we've had good results with that.

st33v avatar Dec 16 '20 21:12 st33v

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

urz9999 avatar Jan 14 '21 11:01 urz9999

see also aws2-wrap we've had good results with that.

Works amazingly well. Thx.

marijus-ravickas avatar Jan 13 '23 08:01 marijus-ravickas

BTW. I initially thought this will not work, but when I tried to do sso login first and only then using:

env AWS_REGION=... AWS_PROFILE=... sops ...

where AWS_PROFILE I'm passing look kind of like this in ~/.aws/config:

[profile system_admin]
sso_start_url = https://ourlogin.awsapps.com/start
sso_region = us-east-1
sso_account_id = ...
sso_role_name = system_admin

it seems to work for me.

I need to roll out sops all the way to verify everything e2e, but so far so good.

dpc avatar Mar 04 '23 22:03 dpc

I am seeing this error as well on latest sops 3.7.3. I am confused because links PRs say SSO is supported but maybe just not the KMS Key portion. Are there any plans to fix this?

lorelei-rupp-imprivata avatar Mar 08 '23 20:03 lorelei-rupp-imprivata

but maybe just not the KMS Key portion

Can you please explain? I thought the KMS is is just ARN. I don't see where SSO is involved.

dpc avatar Mar 08 '23 22:03 dpc

@dpc it appears the new AWS method of setting up your SSO profile breaks this. Using legacy method does not This is the new method here https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html shows the two methods, the recommended method is what now breaks - https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html

The legacy method sops works with When you configure with the new method you end up with a aws config that has two sections a sso section and a profile section and this is where sops breaks on kms decrypt encrypt

Its the access to the key that sops is having trouble with the new auth method

lorelei-rupp-imprivata avatar Mar 09 '23 12:03 lorelei-rupp-imprivata

Oh. I see. Thanks!

If anyone is interested in fixing it, you can try go install on https://github.com/mozilla/sops/pull/1179 . If it works, then see if you can fix the mocking in tests and get it merged. I'm not a golang dev, so it's unclear to me what approach to take, but it doesn't look like all that hard to get over the finish line.

dpc avatar Mar 09 '23 17:03 dpc

When you configure with the new method you end up with a aws config that has two sections a sso section and a profile section and this is where sops breaks on kms decrypt encrypt

@lorelei-rupp-imprivata I was having the same issue with 3.7.1 version :

Group 0: FAILED
  arn:aws:kms:eu-west-3:xxxxxxxxx:alias/xxxxxxxx: FAILED
    - | Error creating AWS session: profile "sso@account" is
      | configured to use SSO but is missing required configuration:
      | sso_region, sso_start_url

But I updated to the latest version (sops 3.9.2) and it works perfectly with the new method (an sso-session section and a profile section pointing to it)

Hope that helps.

lconsuegra avatar Dec 13 '24 06:12 lconsuegra

It doesn't work on sops 3.11.0 (latest) for me. Here is my command:

aws sso login --profile dev
sops --kms arn:aws:kms:us-east-1:393668382111:key/d0fe3d36-c6b7-4388-bcb2-123456789 --aws-profile "dev" 222.yaml

Error:

Error encrypting the data key with one or more master keys: [failed to encrypt new data key with master key "arn:aws:kms:us-east-1:393668382111:key/d0fe3d36-c6b7-4388-bcb2-12345678||dev": failed to encrypt sops data key with AWS KMS: operation error KMS: Encrypt, https response error StatusCode: 400, RequestID: e05e9078-4d07-4930-ba98-f235e73281a2, api error UnrecognizedClientException: The security token included in the request is invalid.]

It works fine when I set env variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN.

aws cli command works fine as well aws kms encrypt --key-id d0fe3d36-c6b7-4388-bcb2-123456 --plaintext "test 1234" --output text --query CiphertextBlob --profile dev

Here are my configs:

  • ~/.aws/config
[profile dev]
region = us-east-1
sso_session = default
sso_account_id = 393668382111
sso_role_name = Dev-User-NA
output = json
[sso-session dev]
sso_start_url = https://d-123456.awsapps.com/start#
sso_region = us-east-2
sso_registration_scopes = sso:account:access
  • ~/.aws/credentials [dev] aws_access_key_id = A*************** aws_secret_access_key = B*******************************

agre1981 avatar Oct 29 '25 18:10 agre1981

According to AWS documentation, they keep sso credentials in ~/.aws/sso/cache/*.json

To get the current sso credentials, we can use

aws configure export-credentials --profile sso-profile --format env

agre1981 avatar Oct 29 '25 18:10 agre1981

I found this workaround:

eval $(aws configure export-credentials --profile dev --format env)
sops edit ./my.sops.yaml

or powershell:

aws configure export-credentials --profile dev --format powershell | Invoke-Expression

agre1981 avatar Nov 03 '25 17:11 agre1981