Multiple Azure Keyvaults With Different Environments
daveneeley opened this issue · 0 comments
I have a file that is encrypted with an Azure keyvault key from Azure cloud. I want to encrypt with an additional key from a vault in Azure US Government cloud. I'm using CLI mode. I understand that I can set AZURE_ENVIROMENT=AzureUsGovernmentCloud
to use that cloud. Unfortunately sops applies the same credential for both azure keys and one will always fail to encrypt with 401 Unauthorized
.
Start with a .sops.yaml
like this:
creation_rules:
- path_rules: secrets.yaml
azure_keyvault: https://myvault.vault.azure.net/keys/mykey/someversion
Steps to validate current config:
az cloud set --name azurecloud
az account set --subscription my-cloud-sub
sops -d secrets.yaml
Add the us gov key, updating sops.yaml
to something like this:
creation_rules:
- path_rules: secrets.yaml
azure_keyvault: https://myvault.vault.usgovcloudapi.net/keys/mygovkey/someversion,https://myvault.vault.azure.net/keys/mykey/someversion
Steps (fails with 401
):
az cloud set --name azureusgovernment
az account set --subscription my-gov-sub
AZURE_ENVIRONMENT='AzureUsGovernmentCloud' sops updatekeys secrets.yaml
Note failure:
error updating one or more master keys: [failed to encrypt new data key with master key "https://myvault.vault.azure.net/keys/mykey/someversion": failed to encrypt sops data key with Azure Key Vault key 'https://myvault.vault.azure.net/keys/mykey/someversion': POST https://myvault.vault.azure.net/keys/mykey/someversion/encrypt
--------------------------------------------------------------------------------
RESPONSE 401: 401 Unauthorized
ERROR CODE: Unauthorized
--------------------------------------------------------------------------------
{
"error": {
"code": "Unauthorized",
"message": "AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<azure cloud tenant id>/, found https://sts.windows.net/<azure gov cloud tenant id>/."
}
}
--------------------------------------------------------------------------------
]
Based on the order of operations, I assume the gov encryption key was used successfully? The error states the original azure key (which is listed second in the example file) cannot be used because the login context is for the government cloud.