Different AWS profiles are ignored when using multiple KMS keys

Question

Different AWS profiles are ignored when using multiple KMS keys

DrLuke opened this issue 6 months ago · 0 comments

I'm trying to use two KMS keys living in two different AWS accounts, so that each account can access the encrypted contents. Similar to the setup in #1093 .

I've created the following .sops.yaml:

---
creation_rules:
  - key_groups:
      - kms:
          - arn: arn:aws:kms:eu-central-1:ACCOUNT1:key/KEY1
            aws_profile: profile1
          - arn: arn:aws:kms:eu-central-1:ACCOUNT2:key/KEY2
            aws_profile: profile2

But when encrypting a file I get the following error:

error updating one or more master keys: [failed to encrypt new data key with master key "arn:aws:kms:eu-central-1:ACCOUNT2:key/KEY2": failed to encrypt sops data key with AWS KMS: operation error KMS: Encrypt, https response error StatusCode: 400, RequestID: [REDACTED], api error AccessDeniedException: User: arn:aws:sts::ACCOUNT1:assumed-role/[REDACTED] is not authorized to perform: kms:Encrypt on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access]

It seems to me like sops is using the default profile (which is profile1) instead of the defined profile.