v0.37.3 is unable to decrypt using sops provider encrypted via KMS, 0.37.2 works perfectly.

[nnsense]

Hi, I've spent a few hours trying to find a reason why this isn't working but, since it fails even in its simplest form, it seems this is actually an issue and not my misunderstanding, or at least it seems so..

In short, I have a KMS key deployed into an AWS account, and a simple test.yaml file:

value: "1123j123j1j31j23"

Now, I encrypt this with sops

sops -e -i --kms arn:aws:kms:us-east-1:123456789:key/xyz123456-5e88-4683-b5e9-12345668a3b test.yaml

Taking into account that sops -d test.yaml correctly decrypt the file, this happens when I use vals:

$ vals get ref+sops://test.yaml#/value
expand sops://test.yaml#/value: Error getting data key: 0 successful groups required, got 0

If I check the file's sops data, it correctly shows the KMS ARN (which is expected since sops is working).

If I add an additional age key, vals works perfectly, which points this issue to the KMS.

The KMS I created for testing has open permissions, to check if that was the issue:

{
    "Version": "2012-10-17",
    "Id": "customPolicy",
    "Statement": [
         {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

I'm using an SSO user, but I can't see how this might affect vals, also sops works perfectly which is quite confusing.

I have the feeling I'm missing something simple.. can you please point me to the right direction?

Thanks guys :)