root token output not decrypted issue

Question

root token output not decrypted issue

prankin272 opened this issue 3 years ago · 4 comments

Question
What is your question?
With regards to outputting the token and it being encrypted, I don't quite understand/get this.

So the output in my terraform is this here:

output "root_token_decrypt_command" {
  value = "gsutil cat gs://${google_storage_bucket.vault_bucket.name}/root-token.enc | base64 --decode | gcloud kms decrypt --key ${google_kms_crypto_key.cryptokey.id} --ciphertext-file - --plaintext-file -"
}

When I check the storage bucket, I can see the root-token.enc in the bucket upon opening it, it looks like it is still encrypted, even though it should be decrypted as per the above output, correct?

CiQA8VIapYmJevYGEisOXOD/<redacted>zS5aBucFKmu6by6ESQwAuhAj8k8xQFNnqzHNohmMx4S/W58QKYtQt2sprYfxeNupV41kD6fwOkFB5iM8qoE/Rowj4dDT3c0iQkSxJQhMKQpA=

Either way, with the value in that file, even if I try to decode it via online decoders, it is not recognised.

Any ideas or advice would be much appreciated.

Considerations
Are there any other considerations?

Answer 1 · 2022-03-15T16:21:47.000Z

Hi @prankin272

The token is encrypted inside the bucket. So when you download it from the storage bucket, it's encrypted. You have to download it, decode it, and decrypt it. That's what the command does.

Answer 2 · 2022-03-15T17:07:24.000Z

Hi @sethvargo thanks very much for the reply.

I have tried manually doing that using this cmd:

gcloud kms decrypt \ --location "global" \ --keyring "my-keyring" \ --key "my-symmetric-key" \ --plaintext-file - \ --ciphertext-file ./root-token.enc

But get this error:

ERROR: (gcloud.kms.decrypt) INVALID_ARGUMENT: Decryption failed: the ciphertext is invalid.

I am also doing this deployment via azure devops ci/cd pipeline so can't do much from a local POV with regards to terraform output cmds.

Answer 3 · 2022-03-15T17:57:42.000Z

The ciphertext is base64-encoded. The full command is:

gsutil cat gs://${google_storage_bucket.vault_bucket.name}/root-token.enc | base64 --decode | gcloud kms decrypt --key ${google_kms_crypto_key.cryptokey.id} --ciphertext-file - --plaintext-file -

Answer 4 · 2022-03-16T10:16:28.000Z

Many thanks @sethvargo for the help. Running that locally in my terminal works (just had to add location and keyring name to the cmd too)