decrypt SOPs encrypted yaml file via AWS KMS

[yalattas]

Problem Statement

I have files encrypted with SOPs and AWS KMS and stored in git. Locally, I can decrypt the files while having AWS CLI configured with a user that have sufficient privilege to do decrypt on a specific key in KMS

.sops.yaml

creation_rules:
  - filename_regex: '.*/secrets\.y(a)?ml$'
    kms: 'arn:aws:kms:REGION:12345678912:alias/APP-sops'

I want to allow ArgoCD to use IAM Role with ServiceAccount to decrypted the file using the same key that encrypted it at the first place. Therefore, I must have

1. IAM role allowed to decrypt
2. K8s ServiceAccount allowing pod to assume a role
3. KMS key alias configured in ArgoCD to know which key to use

sources:
    - repoURL: https://company.com/chart
      chart: nginx
      targetRevision: 1.2.3
      helm:
        parameters:
          - name: KEY
            value: VALUE
        releaseName: SOMETHING
        valueFiles:
          - $values/nginx/values.yaml
          - secrets://$values/nginx/secrets.yaml

encrypted yaml will look like below

argocdServerAdminPassword: ENC[AES256_GCM,data:123+abc+def/something,iv:123/abc/efg/E=,tag:abc==,type:str]

and decrypted file before ArgoCD render it must be plaintext

argocdServerAdminPassword: weakpassword

Then ArgoCD can handle it and provision the resources. I saw the following message in documentation and not sure if it means that helm-secrets can't support this

https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration

Proposed Solution

No response

Environment

• Helm Version:
• Helm Secrets Version:
• OS:
• Shell:

Additional information

No response

Acceptance Criteria

No response

[jkroepke]

helm-secrets support IAM Roles for service account, but this syntax secrets://$values/nginx/secrets.yaml isn't supported by ArgoCD

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.