Multiple Azure Keyvaults With Different Environments

Question

Multiple Azure Keyvaults With Different Environments

daveneeley opened this issue 5 months ago · 0 comments

I have a file that is encrypted with an Azure keyvault key from Azure cloud. I want to encrypt with an additional key from a vault in Azure US Government cloud. I'm using CLI mode. I understand that I can set AZURE_ENVIROMENT=AzureUsGovernmentCloud to use that cloud. Unfortunately sops applies the same credential for both azure keys and one will always fail to encrypt with 401 Unauthorized.

Start with a .sops.yaml like this:

creation_rules:
- path_rules: secrets.yaml
  azure_keyvault: https://myvault.vault.azure.net/keys/mykey/someversion

Steps to validate current config:

az cloud set --name azurecloud
az account set --subscription my-cloud-sub
sops -d secrets.yaml

Add the us gov key, updating sops.yaml to something like this:

creation_rules:
- path_rules: secrets.yaml
  azure_keyvault: https://myvault.vault.usgovcloudapi.net/keys/mygovkey/someversion,https://myvault.vault.azure.net/keys/mykey/someversion

Steps (fails with 401):

az cloud set --name azureusgovernment
az account set --subscription my-gov-sub
AZURE_ENVIRONMENT='AzureUsGovernmentCloud' sops updatekeys secrets.yaml

Note failure:

error updating one or more master keys: [failed to encrypt new data key with master key "https://myvault.vault.azure.net/keys/mykey/someversion": failed to encrypt sops data key with Azure Key Vault key 'https://myvault.vault.azure.net/keys/mykey/someversion': POST https://myvault.vault.azure.net/keys/mykey/someversion/encrypt
--------------------------------------------------------------------------------
RESPONSE 401: 401 Unauthorized
ERROR CODE: Unauthorized
--------------------------------------------------------------------------------
{
  "error": {
    "code": "Unauthorized",
    "message": "AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<azure cloud tenant id>/, found https://sts.windows.net/<azure gov cloud tenant id>/."
  }
}
--------------------------------------------------------------------------------
]

Based on the order of operations, I assume the gov encryption key was used successfully? The error states the original azure key (which is listed second in the example file) cannot be used because the login context is for the government cloud.