Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOPS Can't Find Data Key Required to Decrypt the SOPS File (AWS KMS) #736

Open
better-sachin opened this issue Sep 11, 2020 · 4 comments
Open

SOPS Can't Find Data Key Required to Decrypt the SOPS File (AWS KMS) #736

better-sachin opened this issue Sep 11, 2020 · 4 comments

Comments

@better-sachin
Copy link

better-sachin commented Sep 11, 2020
edited
Loading

We are running into an issue on our Kubernetes pods (using kube2iam to provide IAM credentials to containers) trying to decrypt SOPS secrets where the assumed role tries to assume itself before decrypting.

Error message:

Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
  arn:aws:kms:us-east-1:<account-id>:key/<uuid>: FAILED
    - | Error decrypting key: NoCredentialProviders: no valid
      | providers in chain. Deprecated.
      |     For verbose messaging see
      | aws.Config.CredentialsChainVerboseErrors
  
  arn:aws:kms:us-east-1:<account-id>:key/<uuid>: FAILED
    - | Error creating AWS session: Failed to assume role
      | "arn:aws:iam::<account-id>:role/service/<role-name>":
      | AccessDenied: User:
      | arn:aws:sts::<account-id>:assumed-role/<role-name>/<role-session-name>
      | is not authorized to perform: sts:AssumeRole on resource:
      | arn:aws:iam::<account-id>:role/service/<role-name>
      |     status code: 403, request id:
      | a401448b-6242-46d1-80d7-7e14396b4ad0
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html

— Is there a reason why SOPS tries to assume a role already assumed?
— Is there a way to set the trust relationship of the role to be able to assume itself?
@autrilla
Copy link
Contributor

Is there a reason why SOPS tries to assume a role already assumed?

Yes, the AWS master key you put in the SOPS file has a profile stored, and SOPS will try to assume it every time.

@better-sachin
Copy link
Author

looks like this is a known issue here:
jtblin/kube2iam#136

@cpflaume
Copy link

cpflaume commented Sep 27, 2022
edited
Loading

Running into a similar issue: We have users which can not assume roles but already have the correct role and users, which have to assume a role. Because the role is assumed every time we can not use the KMS+Role syntax, as it will fail with half of our users.

Wouldn't it be possible/nice to check the current role before assuming it in https://github.com/mozilla/sops/blob/e1edc059487ddd14236dfe47267b05052f6c20b4/kms/keysource.go#L182 ?

Of course in most of the cases on can do the assume role manually before using SOPS, but there are some cases in which it does not work, like with the terraform sops plugin.

@cpflaume cpflaume mentioned this issue Sep 27, 2022
Open
@JonathanLorimer
Copy link

This is a pretty big issue. It breaks AWS EC2 instance profiles, which are the de facto way to provide IAM permissions to servers on AWS.

The instance profile role is immediately assumed, and cannot assume itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@autrilla @cpflaume @JonathanLorimer @better-sachin