Using adminAssumeRole in KMS: encryption works fine; decryption gives `No keys found in file`
notjames opened this issue · 5 comments
This is almost probably my fault with respect to how KMS is setup, but the problem I am reporting deals more with the fact that if SOPS can encrypt something (using KMS) then it doesn't make sense that no keys exist for decryption.
My setup:
- AWS master account contains two KMS symmetrical keys.
- master account: policies and role in place to allow role assumption for the created keys
- dev account: contains policies and role to allow role assumption to created keys in master account
Trying to find solid and thorough documentation on .sops.yaml is challenging. The README has good stuff, but it's not thorough. Here's my .sops.yaml:
---
creation_rules:
- arn: 'arn:aws:kms:us-east-1:<master-account REDACTED>:key/80f48cc5-<REDACTED>' # us east 1
role: 'arn:aws:iam::<dev-account REDACTED>:role/adminAssumeRole'
- arn: 'arn:aws:kms:us-west-2:<master-account REDACTED>:key/541575ba-<REDACTED>' # us west 2
role: 'arn:aws:iam::<dev-account REDACTED>:role/adminAssumeRole'
Using a test yaml file:
Here's my encryption output:
✦3 at 11:18:34 ❯ sops --verbose -e assume-role-secret.yaml
secrets:
password: ENC[AES256_GCM,data:miQ6/3CWC5uWSLNpP/zWwKFa+g==,iv:G83BetwngWg1bbcNiUL4io1Lu9tkZouLc7Ts0DkQOzY=,tag:u1kOtm1XFIDMJBl9MC2j7Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-01-21T18:18:59Z'
mac: ENC[AES256_GCM,data:QEQqMZJn4gzo4TTebzq6EnHNzvMt9UzTn5qELYKFtDUkOHh+VLQu+ZRDlBRP1UwEx5xxfFUj7PhRUjWGjDOsczm/Cb7Xc30O2fMFF8NRwcrKvPBM2IVPk/G8UYyT3lB1sR4wHXlbFjg2Lz0tSMbKts07/ebKH7/om6vFWqmsx08=,iv:GIQxgAsRG2KTtKprjcwZxxJa3l5BovIFGBNf/MXcKjw=,tag:W7sOM0Fd4qqxDwb+Oam8Lw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.6.1
I don't see how it's possible to have successfully encrypted something using a symmetrical key from AWS and not have the key listed in the kms list.
I figured out the problem was with my .sops.yaml. My fixed config, which I basically intuited from examples in the README is:
---
creation_rules:
- kms: 'arn:aws:kms:us-east-1:<master-account REDACTED>:key/80f48cc5-<REDACTED>,arn:aws:kms:us-west-2:<master-account REDACTED>:key/541575ba-<REDACTED>'
role: 'arn:aws:iam::429863676324:role/adminAssumeRole'
Can you reliably reproduce this? Getting a file in which there's no actual encryption key stored is definitely a bug. I've never seen that happen.
BTW, you probably want a path_regex in your creation rule.
I will go through my steps above with the config stated and see if I can reproduce this. I'll let you know.
BTW, you probably want a path_regex in your creation rule.
the documentation for .sops.yaml is pretty bad. Use of the path_regex directive as stated in the doc is confusing if I've a single key that I want to use for everything.
The previously cross-reference issues show, that this issue frequently happens when the .sops.yaml file is incorrect, but at least contain some data in creation_rules.
Another example:
.sops.yaml
creation_rules:
- wwwww: $ sops --verbose --encrypt test.yaml
example_string: ENC[AES256_GCM,data:XtEe,iv:3XrUiyrmq99ymFHx8fdfeq13ymCrfgBQYc08Xi1hsBs=,tag:M0iLmrRT7TuFj8ix6YiQLA==,type:str]
example_number: ENC[AES256_GCM,data:KQs=,iv:Kr9Zw4aK3B9GLczfAmH98Onmz7n6lRIa83inRtfhEes=,tag:jhAU/fLMECIWE8YEitfTRw==,type:int]
example_map:
secret_key: ENC[AES256_GCM,data:ZLzikH0=,iv:+Mz/Z6F4LpNhhIHf74u4QAMae9VbBTVZRDqKlq2lSJI=,tag:NKTPqY7ydFjIRLjmYdOK2A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-02-13T10:46:59Z"
mac: ENC[AES256_GCM,data:+xy+u2p7QIB8ULKzZpc+xRZnWPvshY9pyjpCfE7U/YEjj8+rN5fFyj27SDCQ7e3136vODbgNKsfVdrHxEhHEcz7EihcsZDMh9EI5kcbQ5iqVdsZr7n9VIVyXs+xN1sqpeeLmcDSc0zIZnQu/ssFXTsOMbsUbVXtdSWGMB453GQo=,iv:goMaKDPfaWjNa9CCtgHh/AcCRd9quulrXaAHBvcqx6w=,tag:OgirtKzLyMWmhKHq998hAQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3