-
Notifications
You must be signed in to change notification settings - Fork 894
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for kms key aliases #381
Comments
Duplicate of #366 |
This isn't actually a duplicate of 366. I was talking about the AWS key alias mechanism (e.g. |
Oh, cool, I didn't know that even existed! Reopening |
This does not seem to be fixed in
requires the full arn (which defies the point of an alias?) |
I have no idea how that AWS feature works, but #415 shows you don't need to provide the full ARN. You need the account ID and the alias name. We still have to tell the AWS SDK that it's an alias somehow. I'm not sure I understand why this is an issue for you. My guess (but it's just that, a guess) is that you're specifying the key through command line flags, which to me feels like doing it wrong. It is convenient for one-off operations and examples, but I don't think it really is how you should actually use |
Hey there thanks for the reply. I'll check the sops yaml setup (am using it via the kustomize sops plugin FYI) but i suspect based on the code i pasted above the full arn will still be necessary Also re the purpose of a kms alias: its point appears to be to not require the region nor acc id as per https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html
as you can see
is valid and then allows keys to be used independently of region and acc id |
I'm afraid so.
I see. I think it would indeed be nice to be able to provide the key in the same formats the AWS CLI takes, which we currently don't support. |
It would be amazing if this could be implemented. Especially now that KMS supports multi-regional keys: |
we get the following error in decrypt process with alias
cloudtrail:
our solution: encrypt:
decrypt:
we need to use
https://docs.amazonaws.cn/en_us/kms/latest/developerguide/alias-authorization.html |
as far as I've tested, this one is resolved in the meantime and should be closed. |
@typekpb how did you test this?
The code still only checks for an ARN: https://github.com/mozilla/sops/blob/1bb30e28b484dd0f8611ee1807766c9bbdc941ad/kms/keysource.go#L196-L201 |
@dudicoco check my last comment for IAM policy - this is working |
@haarchri this issue is specifically about using the alias without the full ARN - |
using the arn of the alias is not an option ? |
@haarchri for some it is, for others it's preferable to not use the full ARN |
This would make using multi-region keys considerably easier, especially in a DR scenario (not sure if KMS has ever gone down in a region but it's feasible). I'll take a look at the code in #541 and see if I can make it work for all scenarios supported by the Just to be clear: this PR might be a month or so away; I don't want to set expectations too high! |
I'm not sure this is needed. You can use the alias name with the following ARN:
For example:
|
We know the full ARN can be used, it's all over the comments and in the original comment as well... |
Hello everyone. If anyone has idea to join it, feel free for it. When the logic seems to be completed, I'll turn it to pr. |
It would be convenient be able to use a key alias as in:
aws kms encrypt --key-id alias/my-key ...
rather than having to provide the full arn.
The text was updated successfully, but these errors were encountered: