search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
17.11k stars 880 forks source link

EC2 Instance Metadata #474

Open ericrini opened 5 years ago

ericrini commented 5 years ago

When running AWS SDK commands on an instance launched by EC2, the ~/.aws/credentials file is not required. Instead, the effective credentials for that instance can be retrieved from a private web service at http://169.254.169.254${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}.

I can't get SOPS to work like this. I always receive the following error...

Group 0: FAILED 
    - | Error decrypting key: SharedCredsLoad: failed to load shared 
      | credentials file 
      | caused by: open /root/.aws/credentials: no such file or 
      | directory

This is coming within a terminal session where AWS CLI commands seem to works fine. For example, this will work even though /root/.aws/credentials file is not present.

> aws kms list-keys

I think it's a standard part of the AWS SDK. Do I need to do something to enable this behavior for SOPS?

What I'm trying to do is get an AWS CodeBuild instance to build my project. To do this, it needs to decrypt the configuration data file.

autrilla commented 5 years ago

This should indeed just work. What sops version are you using? Could you try a version prior to 3.3.0? I'm suspecting maybe the AWS profile support broke this.

pauln415 commented 5 years ago

I'm using version 3.4.0, and seeing this problem when aws_profile is specified in the encrypted file. I'm guessing that aws_profile takes precedence in sops or the AWS credentials provider.

    kms:
    -   arn: arn:aws:kms:us-west-2:123456778990:alias/sops
        created_at: '2019-10-10T06:34:08Z'
        enc: AQICAHi4q6NVD...
        aws_profile: "aws-foo"
Group 0: FAILED
  arn:aws:kms:us-west-2:123456778990:alias/sops: FAILED
    - | Error decrypting key: SharedCredsLoad: failed to load shared
      | credentials file
      | caused by: FailedRead: unable to open file
      | caused by: open /home/me/.aws/credentials: no such file
      | or directory

Our use case is that on our laptops, we use an aws_profile which gets saved to the encrypted file, but when we check it in to version control, the CI pipeline uses an instance profile to decrypt the file. Is there anyway to prefer an instance profile over an aws_profile?

matt-simons commented 4 years ago

I'm seeing a similar issue, is there any known workaround?