Open notjames opened 3 years ago
I figured out the problem was with my .sops.yaml
. My fixed config, which I basically intuited from examples in the README is:
---
creation_rules:
- kms: 'arn:aws:kms:us-east-1:<master-account REDACTED>:key/80f48cc5-<REDACTED>,arn:aws:kms:us-west-2:<master-account REDACTED>:key/541575ba-<REDACTED>'
role: 'arn:aws:iam::429863676324:role/adminAssumeRole'
Can you reliably reproduce this? Getting a file in which there's no actual encryption key stored is definitely a bug. I've never seen that happen.
BTW, you probably want a path_regex in your creation rule.
I will go through my steps above with the config stated and see if I can reproduce this. I'll let you know.
BTW, you probably want a path_regex in your creation rule.
the documentation for .sops.yaml is pretty bad. Use of the path_regex
directive as stated in the doc is confusing if I've a single key that I want to use for everything.
The previously cross-reference issues show, that this issue frequently happens when the .sops.yaml
file is incorrect, but at least contain some data in creation_rules
.
Another example:
.sops.yaml
creation_rules:
- wwwww:
$ sops --verbose --encrypt test.yaml
example_string: ENC[AES256_GCM,data:XtEe,iv:3XrUiyrmq99ymFHx8fdfeq13ymCrfgBQYc08Xi1hsBs=,tag:M0iLmrRT7TuFj8ix6YiQLA==,type:str]
example_number: ENC[AES256_GCM,data:KQs=,iv:Kr9Zw4aK3B9GLczfAmH98Onmz7n6lRIa83inRtfhEes=,tag:jhAU/fLMECIWE8YEitfTRw==,type:int]
example_map:
secret_key: ENC[AES256_GCM,data:ZLzikH0=,iv:+Mz/Z6F4LpNhhIHf74u4QAMae9VbBTVZRDqKlq2lSJI=,tag:NKTPqY7ydFjIRLjmYdOK2A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-02-13T10:46:59Z"
mac: ENC[AES256_GCM,data:+xy+u2p7QIB8ULKzZpc+xRZnWPvshY9pyjpCfE7U/YEjj8+rN5fFyj27SDCQ7e3136vODbgNKsfVdrHxEhHEcz7EihcsZDMh9EI5kcbQ5iqVdsZr7n9VIVyXs+xN1sqpeeLmcDSc0zIZnQu/ssFXTsOMbsUbVXtdSWGMB453GQo=,iv:goMaKDPfaWjNa9CCtgHh/AcCRd9quulrXaAHBvcqx6w=,tag:OgirtKzLyMWmhKHq998hAQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3
This is almost probably my fault with respect to how KMS is setup, but the problem I am reporting deals more with the fact that if SOPS can encrypt something (using KMS) then it doesn't make sense that no keys exist for decryption.
My setup:
Trying to find solid and thorough documentation on
.sops.yaml
is challenging. The README has good stuff, but it's not thorough. Here's my.sops.yaml
:Using a test yaml file:
Here's my encryption output:
I don't see how it's possible to have successfully encrypted something using a symmetrical key from AWS and not have the key listed in the
kms
list.