search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.24k stars 855 forks source link

key_groups should only require 1 group to decrypt minimum #1560

Open kriegster108 opened 1 month ago

kriegster108 commented 1 month ago

using sops 3.8.1

My .sops.yaml

I am able to encrypt and decrypt SOPS secrets using this configuration:

creation_rules:
- path_regex: \.yaml$
  key_groups:
  - kms:
    - arn: 'arn:'
      role: 'arn:'
  # - age:
  #       - ageblablabla

If I uncomment the age portion it fails to decrypt via this configuration:

creation_rules:
- path_regex: \.yaml$
  key_groups:
  - kms:
    - arn: 'arn'
      role: 'arn'
  - age:
        - ageblah

Error:

"sops_decrypt_file" failed: Error getting data key: 2 successful groups required, got 1.

This should still let me decrypt. I do not understand why we need two minimum. AGE encryption is a redundancy just incase something bad happens to KMS, and the AGE private key is not stored on my local machine.

The reason why I am in this situation is because it appears based on the SOPs documentation the only way to have a KMS configured which requires role assumption to encrypt/decrypt is to use the key_groups syntax above. There is no configuration I have found where SOPS will allow me to set a role as a creation rule other than this. How do I fix?

kriegster108 commented 1 month ago

my solution for now, because I am using this alongside terragrunt is to just use the sops terraform provider directly in my TF manifests vs loading the file in using terragrunt's syntax

felixfontein commented 1 month ago

Why don't you put all keys into the same group, if you want to decrpyt with only one key?

creation_rules:
- path_regex: \.yaml$
  key_groups:
  - kms:
    - arn: 'arn'
      role: 'arn'
    age:
        - ageblah