Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different AWS profiles are ignored when using multiple KMS keys #1468

Open
DrLuke opened this issue Mar 21, 2024 · 1 comment
Open

Different AWS profiles are ignored when using multiple KMS keys #1468

DrLuke opened this issue Mar 21, 2024 · 1 comment

Comments

@DrLuke
Copy link

DrLuke commented Mar 21, 2024
edited
Loading

I'm trying to use two KMS keys living in two different AWS accounts, so that each account can access the encrypted contents. Similar to the setup in #1093 .

I've created the following .sops.yaml:

---
creation_rules:
  - key_groups:
      - kms:
          - arn: arn:aws:kms:eu-central-1:ACCOUNT1:key/KEY1
            aws_profile: profile1
          - arn: arn:aws:kms:eu-central-1:ACCOUNT2:key/KEY2
            aws_profile: profile2

But when encrypting a file I get the following error:

error updating one or more master keys: [failed to encrypt new data key with master key "arn:aws:kms:eu-central-1:ACCOUNT2:key/KEY2": failed to encrypt sops data key with AWS KMS: operation error KMS: Encrypt, https response error StatusCode: 400, RequestID: [REDACTED], api error AccessDeniedException: User: arn:aws:sts::ACCOUNT1:assumed-role/[REDACTED] is not authorized to perform: kms:Encrypt on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access]

It seems to me like sops is using the default profile (which is profile1) instead of the defined profile.
@inletfetch
Copy link

Thanks DrLuke for this post! It helped me to figure out a problem I was having. This problem appears to be fixed in the most recent version of sops.

I was struggling to get sops to encrypt with two KMS keys from two different accounts. I was specifying them a bit differently than this in my .sops.yaml file. I was trying this:

creation_rules:
  - kms: arn:aws:kms:us-west-1:ACCOUNT1:key/mrk-KEY1
    aws_profile: xxxxx-dev
  - kms: arn:aws:kms:us-west-1:ACCOUNT2:key/mrk-KEY2
    aws_profile: xxxxx-prod

but this always encrypted using just the first key. When I switched to using your format for my config file, I got the result I was looking for. I expected to get the same error about the second key, but I got the desired result. I was able to get a file that was encrypted with both keys.

My .sops.yaml file looks like this:

creation_rules:
  - key_groups:
      - kms:
          - arn: arn:aws:kms:us-west-1: ACCOUNT1:key/mrk-KEY1
            aws_profile: xxxxx-dev
          - arn: arn:aws:kms:us-west-1: ACCOUNT2:key/mrk-KEY2
            aws_profile: xxxxx-prod

The result of encrypting an unencrypted file with sops -e in.yaml then looks like this:

<<< Encrypted Values>>>
sops:
    kms:
        - arn: arn:aws:kms:us-west-1: ACCOUNT1:key/mrk-KEY1
          created_at: "2024-11-05T01:00:20Z"
          enc: nnnnnnnnnnnn==
          aws_profile: xxxxx-dev
        - arn: arn:aws:kms:us-west-1: ACCOUNT2:key/mrk-KEY2
          created_at: "2024-11-05T01:00:20Z"
          enc: nnnnnnnnnnnn==
          aws_profile: xxxxx-prod
    gcp_kms: []
    ....
    version: 3.9.1

One can decrypt the resulting file if they have either of the specified AWS profiles defined, and that profile gives the user permission to decrypt with the associated KEY.

So try this with SOPS version 3.9.1, and I'll bet you get the result that you seek.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DrLuke @inletfetch