search

viaduct-ai / kustomize-sops

KSOPS - A Flexible Kustomize Plugin for SOPS Encrypted Resources
Apache License 2.0
654 stars 84 forks source link

Ksops doesnt recognize az login #231

Open pgr1mard opened 8 months ago

pgr1mard commented 8 months ago

With sops, we can doing a "az login --use-device-code", and therefore use the command sops -d file to decrypt the content of that file.

However, with ksops, doing "az login --use-device-code" and after doing kustomize build overlay --enable-alpha-plugins doesnt work because it seem sops doesnt recognize the session open with az login --use-device-code executed before.

We would try to execute kustomize build --enable-alpha-plugins with ksops without azure service principal configured with environnement variables.

dosubot[bot] commented 8 months ago

🤖

Based on your description, it seems like the issue is related to the way KSOPS is interacting with the Azure CLI session. KSOPS relies on SOPS for decryption, and SOPS supports various KMS providers including Azure Key Vault.

To resolve this issue, you can follow these steps:

  1. Ensure that the Azure CLI is installed and correctly configured to use the device code flow with az login --use-device-code.
  2. Verify that the session created by az login is active and that the Azure CLI can access the required Azure resources.
  3. Ensure that your .sops.yaml configuration file is correctly set up to use Azure Key Vault for decryption. This involves specifying the Azure Key Vault details under the creation_rules section with the appropriate azure_keyvault field. Here is an example configuration:
creation_rules:
  - azure_keyvault: "azure-keyvault-name"
  1. Make sure that the environment variables required by Azure CLI for authentication are correctly set in the environment where you're running kustomize build --enable-alpha-plugins. This typically includes AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET for service principal authentication or ensuring that the Azure CLI is logged in to the correct account if using user-based authentication.
  2. If you are running this in a CI/CD pipeline or a similar automated environment, ensure that the Azure CLI is installed and that the script or pipeline step explicitly performs az login before attempting to run kustomize build --enable-alpha-plugins.

By ensuring that SOPS is configured to use Azure Key Vault and that the Azure CLI session is correctly authenticated and recognized, KSOPS should be able to decrypt the resources using the session created by az login --use-device-code. Remember, this approach requires that the encryption keys used by SOPS for encrypting the resources are stored in Azure Key Vault and that the correct permissions are set for the Azure service principal or user account to access these keys.

If you're still encountering issues after following these steps, could you provide more details about your setup? Specifically, it would be helpful to know more about your .sops.yaml configuration, the exact error message you're seeing when you try to run kustomize build --enable-alpha-plugins, and any other relevant details about your Azure CLI and KSOPS configurations.

Sources

#### About Dosu This response is meant to be useful and save you time. It is **not meant to be a precise solution**, but rather a starting point for your own research. Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant. If you want to continue the conversation, start your reply with @dosu-bot.