Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade SOPS to 1.7.0 to support AWS Single-Sign On credentials #1629

Closed
michelzanini opened this issue Apr 2, 2021 · 2 comments
Closed

Upgrade SOPS to 1.7.0 to support AWS Single-Sign On credentials #1629

michelzanini opened this issue Apr 2, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@michelzanini
Copy link

Context
Versions:
terraform: v0.14.6
terragrunt: v0.28.18

Description
AWS Single Sign-On is supported from Terrafrom 0.14.6+, AWS provider 3.26.0+ and Terragrunt 0.28.9+ and AWS CLI v2.

This is all working great, except when using SOPS from Terragrunt, like below:

secrets.yaml

username: ENC[*username*]
password: ENC[*password*]
sops:
    kms:
    -   arn: *kms_arn*
        created_at: '2021-02-19T17:23:37Z'
        enc: *enc*
        aws_profile: development
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    lastmodified: '2021-02-19T17:23:39Z'
    mac: *mac*
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.6.1

terragrunt.hcl

# Load secrets if they are present
secret_vars = try(yamldecode(sops_decrypt_file("secrets.yaml")), {})

It should work as I am using a AWS profile for SOPS, called development.
It DOES work if this profile is configured on ~/.aws/credentials (no SSO, CLI v1):

[development]
aws_access_key_id=*aws_access_key_id*
aws_secret_access_key=*aws_secret_access_key*
aws_session_token=*aws_session_token*

But when I switched to use Single-Sign On with ~/.aws/config (with SSO, CLI v2):

[profile development]
sso_start_url = https://*domain*.awsapps.com/start
sso_region = eu-west-1
sso_account_id = *sso_account_id*
sso_role_name = AdministratorAccess

I get this error:

Error: Error in function call

  on /Users/user/git/terragrunt-infrastructure/development/terragrunt.hcl line 15, in locals:
  15:   secret_vars = yamldecode(sops_decrypt_file("secrets.yaml"))

Call to function "sops_decrypt_file" failed: Error getting data key: 0 successful groups required, got 0.

It was obvious that sops does not support AWS Single-Sign On.

But then I saw that SOPS 1.7.0 supports Single-Sign On now:
See here getsops/sops#823 (released on 1.7.0).

I have tested on the command line with 1.6.1 and 1.7.0 with:

sops secrets.yaml

Does NOT work with 1.6.1, but with 1.7.0 it does.

I see Terragrunt depends on Sops 1.5.0.
For Single-Sign On to be supported and fixed we would need to upgrade the SOPS Go dependency to 1.7.0.

Thanks.
This was referenced Apr 2, 2021
Closed
Merged
@XtremeAI
Copy link

XtremeAI commented Apr 7, 2021

I also look forward to sops 1.7.0 support that comes with 'age' encryption (from sops read-me: age is a simple, modern, and secure tool for encrypting files. It's recommended to use age over PGP, if possible.)

@yorinasub17 yorinasub17 added the enhancement New feature or request label Apr 7, 2021
@michelzanini
Copy link
Author

Just tested this with release 0.28.22 where #1564 has been released and works like a charm! :)
Closing this now. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yorinasub17 @michelzanini @XtremeAI