Skip to content

Commit

Permalink
Allow aws profile setting from metadata to be overridden.
Browse files Browse the repository at this point in the history
When decrypting, sops uses the AWS profile setting stored
in the encrypted file metadata. This is a problem as the
profile can change from user to user.

This change will allow the AWS profile setting to be overridden
by the '--aws-profile' flag and the AWS_PROFILE environment
variable, in that order of precedence. The metadata value is
used as a last resort only.
  • Loading branch information
Leandro Martelli committed Oct 24, 2024
1 parent e0c970a commit 401d4dd
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 5 deletions.
17 changes: 17 additions & 0 deletions cmd/sops/common/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ type GenericDecryptOpts struct {
IgnoreMAC bool
KeyServices []keyservice.KeyServiceClient
DecryptionOrder []string
UseAwsProfile string
}

// LoadEncryptedFileWithBugFixes is a wrapper around LoadEncryptedFile which includes
Expand All @@ -251,6 +252,22 @@ func LoadEncryptedFileWithBugFixes(opts GenericDecryptOpts) (*sops.Tree, error)
}
}

awsProfile := os.Getenv("AWS_PROFILE")
if opts.UseAwsProfile != "" {
awsProfile = opts.UseAwsProfile
}

if awsProfile != "" {
for _, keyGroup := range tree.Metadata.KeyGroups {
for _, masterKey := range keyGroup {
kmsMasterKey, ok := (masterKey).(*kms.MasterKey)
if ok {
kmsMasterKey.AwsProfile = awsProfile
}
}
}
}

return tree, nil
}

Expand Down
12 changes: 7 additions & 5 deletions cmd/sops/decrypt.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,17 @@ type decryptOpts struct {
Extract []interface{}
KeyServices []keyservice.KeyServiceClient
DecryptionOrder []string
UseAwsProfile string
}

func decryptTree(opts decryptOpts) (tree *sops.Tree, err error) {
tree, err = common.LoadEncryptedFileWithBugFixes(common.GenericDecryptOpts{
Cipher: opts.Cipher,
InputStore: opts.InputStore,
InputPath: opts.InputPath,
IgnoreMAC: opts.IgnoreMAC,
KeyServices: opts.KeyServices,
Cipher: opts.Cipher,
InputStore: opts.InputStore,
InputPath: opts.InputPath,
IgnoreMAC: opts.IgnoreMAC,
KeyServices: opts.KeyServices,
UseAwsProfile: opts.UseAwsProfile,
})
if err != nil {
return nil, err
Expand Down
5 changes: 5 additions & 0 deletions cmd/sops/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -743,6 +743,10 @@ func main() {
Usage: "comma separated list of decryption key types",
EnvVar: "SOPS_DECRYPTION_ORDER",
},
cli.StringFlag{
Name: "aws-profile",
Usage: "The AWS profile to use for requests to AWS",
},
}, keyserviceFlags...),
Action: func(c *cli.Context) error {
if c.Bool("verbose") {
Expand Down Expand Up @@ -796,6 +800,7 @@ func main() {
KeyServices: svcs,
DecryptionOrder: order,
IgnoreMAC: c.Bool("ignore-mac"),
UseAwsProfile: c.String("aws-profile"),
})
if err != nil {
return toExitError(err)
Expand Down

0 comments on commit 401d4dd

Please sign in to comment.