Different AWS profiles are ignored when using multiple KMS keys
DrLuke opened this issue · 0 comments
DrLuke commented
I'm trying to use two KMS keys living in two different AWS accounts, so that each account can access the encrypted contents. Similar to the setup in #1093 .
I've created the following .sops.yaml
:
---
creation_rules:
- key_groups:
- kms:
- arn: arn:aws:kms:eu-central-1:ACCOUNT1:key/KEY1
aws_profile: profile1
- arn: arn:aws:kms:eu-central-1:ACCOUNT2:key/KEY2
aws_profile: profile2
But when encrypting a file I get the following error:
error updating one or more master keys: [failed to encrypt new data key with master key "arn:aws:kms:eu-central-1:ACCOUNT2:key/KEY2": failed to encrypt sops data key with AWS KMS: operation error KMS: Encrypt, https response error StatusCode: 400, RequestID: [REDACTED], api error AccessDeniedException: User: arn:aws:sts::ACCOUNT1:assumed-role/[REDACTED] is not authorized to perform: kms:Encrypt on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access]
It seems to me like sops is using the default profile (which is profile1) instead of the defined profile.