getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
17.06k stars 880 forks source link

5 minutes in and an error has erased my secrets.yaml #703

Open colemickens opened 4 years ago

colemickens commented 4 years ago
> sops -r -i --add-azure-kv https://so...fe99 secrets.yaml
[AZKV]   ERRO[0001] Encryption failed                             error="keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"Forbidden\" Message=\"The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=1052deae-c635-4cb8-a30c-2eff122aff2f;numgroups=2;iss=https://sts.windows.net/13de0a15-b5db-44b9-b682-b4ba82afbd29/' does not have keys encrypt permission on key vault 'sops-b5078e18c0c34221;location=westus2'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\" InnerError={\"code\":\"ForbiddenByPolicy\"}" key=sops-key version=6e538f7c6d714d138226082070d1fe99

> sops -r -i --add-azure-kv https://sops-b5078e18c0c34221.vault.azure.net/keys/sops-key/6e538f7c6d714d138226082070d1fe99 secrets.yaml

silently succeeds...

> cat secrets.yaml

># oh, there's nothing there

I guess this is because I used -i, but still... I don't think this should be expected behavior I hope.

autrilla commented 4 years ago

I don't know what you expected to go different here. What's the difference between the first sops call and the second one?

colemickens commented 4 years ago

It irrecoverably wiped secrets.yaml when the call to Azure failed...

I've just stopped using '-i' since it seems unsafe in cases like this.

On Fri, Jul 24, 2020, 07:31 Adrian Utrilla notifications@github.com wrote:

I don't know what you expected to go different here. What's the difference between the first sops call and the second one?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/sops/issues/703#issuecomment-663567838, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACP25BLPCM3EHHCDU57I33R5GLMVANCNFSM4PF7Z5AA .

colemickens commented 4 years ago

To elaborate:

I didn't realize that secrets.yaml was wiped, so I was also surprised that the second encrypt call worked.

It seems like: