getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.85k stars 876 forks source link

No keys found in file #989

Open acepsaepudin opened 2 years ago

acepsaepudin commented 2 years ago

Hi,

I have .sops.yml config in my root repository like this:

---
creation_rules:
- arn: 'arn:aws:kms:ap-southeast-1:XXXX:key/xxxxx'
  role: 'arn:aws:iam::XXX:role/XXXX'

I ran this command:

 sops -e -i kube_config_cluster.yml

and this is the output of kube_config_cluster.yml

users:
    - name: ENC[AES256_GCM,data:EKdYf2yKHfLiknXd2VWSTBWY51l7dYhgrt8=,iv:ozlg1hr6CBtbGakL3/H+c1ZlRt+TqN+BqtRFg9Gl2v0=,tag:Og+wgnWjtgvxuDR7hE8K7g==,type:str]
      user:
        client-certificate-data: ENC[AES256_GCM,data:DASSLPR3XsSMm4F7deeOvg8NIlUZSCB1vxFAfEqS4qiV4eJe6NmfDZVddvxrJc4Y4MG9pAokzHDNnNNvjYKsnk+v7h9Gd9QwwdDyp1AG7mPOO8HoKityqS0pNZAg3QMBMeHWQtFBSmZG0NnZfYcNEVh03BnXSVFnrBK4OId/7GZdNh7qIK......0oA36RGraCBooBr9tUzTxY7Hf5AikPsu,iv:fGxlJN+FJC4+Vm3vVunwIQBdIAQVgR6Y4NPb8nv/9+8=,tag:64YQ477zl1V2LQMOnk3XWA==,type:str]
        client-key-data: ENC[AES2TLH95Yre8qRfctwqIIx1FouUk8lUZOMIqoY3MReLBvlQe52hXW7V3KZaSfG4GzBwGAbQMeqQ7k27HJzZJKNS1sbeAjSXFrit7XvdvE2ROxU....4W6XovSQ=,iv:GBPFilA3TngCxq2ltkcCy2QbVt+lZI67JhDXrUJ7Rzw=,tag:Y0JofNWM4vUbwxVUMddm4w==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2022-01-16T15:30:24Z"
    mac: ENC[AES256_GCM,data:oi4qWYwBzqsxk7d8QM5x6l70YTTN51VbwAn1jUTMVd2+jufvRjgrVOyT+nWdPMUTBpbx7nAY9yvOonHkzQzPtFGEtm8rgCr7KSK/vnUdGQ2r7FGmnMaS0l+JOcbTigEU3Kr4c9TVuuo1I/9okLSf4IIFWd+mc7llPUL9LFnnxYk=,iv:Re9HI6LUXb2CCXn+YOLh067ujdx5zVKEcOBVrDU7kLE=,tag:dD2DsR2SkGu6F041H3CCMw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.1

I ran sops -d -i kube_config_cluster.yml and show output like this:

No keys found in file

Somebody can help me on this ?

felixfontein commented 2 years ago

The encrypted file seems to have no key indeed, so basically it cannot be decrypted - except if someone can guess the key. I guess it's a bug that this can happen.

In any case, the problem is your .sops.yaml. I think it should rather look like this - judging from the examples in README; I've never used KMS. So maybe this is also totally wrong:

creation_rules:
- kms:
  - arn: 'arn:aws:kms:ap-southeast-1:XXXX:key/xxxxx'
    role: 'arn:aws:iam::XXX:role/XXXX'
Perdjesk commented 1 year ago

Duplicates of: https://github.com/mozilla/sops/issues/804