-
Notifications
You must be signed in to change notification settings - Fork 858
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SOPS Can't Find Data Key Required to Decrypt the SOPS File (AWS KMS) #736
Comments
Yes, the AWS master key you put in the SOPS file has a profile stored, and SOPS will try to assume it every time. |
looks like this is a known issue here: |
Running into a similar issue: We have users which can not assume roles but already have the correct role and users, which have to assume a role. Because the role is assumed every time we can not use the KMS+Role syntax, as it will fail with half of our users. Wouldn't it be possible/nice to check the current role before assuming it in https://github.com/mozilla/sops/blob/e1edc059487ddd14236dfe47267b05052f6c20b4/kms/keysource.go#L182 ? Of course in most of the cases on can do the assume role manually before using SOPS, but there are some cases in which it does not work, like with the terraform sops plugin. |
This is a pretty big issue. It breaks AWS EC2 instance profiles, which are the de facto way to provide IAM permissions to servers on AWS. The instance profile role is immediately assumed, and cannot assume itself. |
We are running into an issue on our Kubernetes pods (using kube2iam to provide IAM credentials to containers) trying to decrypt SOPS secrets where the assumed role tries to assume itself before decrypting.
Error message:
— Is there a reason why SOPS tries to assume a role already assumed?
— Is there a way to set the trust relationship of the role to be able to assume itself?
The text was updated successfully, but these errors were encountered: