From a30a03b0704beef017ca3bd9fe5836802af69ee2 Mon Sep 17 00:00:00 2001 From: Leandro Martelli Date: Thu, 24 Oct 2024 15:55:42 +0200 Subject: [PATCH] Allow aws profile setting from metadata to be overridden. When decrypting, sops uses the AWS profile setting stored in the encrypted file metadata. This is a problem as the profile can change from user to user. This change will allow the AWS profile setting to be overridden by the '--aws-profile' flag and the AWS_PROFILE environment variable, in that order of precedence. The metadata value is used as a last resort only. Signed-off-by: Leandro Martelli --- cmd/sops/common/common.go | 17 +++++++++++++++++ cmd/sops/decrypt.go | 12 +++++++----- cmd/sops/main.go | 5 +++++ 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/cmd/sops/common/common.go b/cmd/sops/common/common.go index 074b71c62..d6e4b3ac5 100644 --- a/cmd/sops/common/common.go +++ b/cmd/sops/common/common.go @@ -230,6 +230,7 @@ type GenericDecryptOpts struct { IgnoreMAC bool KeyServices []keyservice.KeyServiceClient DecryptionOrder []string + UseAwsProfile string } // LoadEncryptedFileWithBugFixes is a wrapper around LoadEncryptedFile which includes @@ -251,6 +252,22 @@ func LoadEncryptedFileWithBugFixes(opts GenericDecryptOpts) (*sops.Tree, error) } } + awsProfile := os.Getenv("AWS_PROFILE") + if opts.UseAwsProfile != "" { + awsProfile = opts.UseAwsProfile + } + + if awsProfile != "" { + for _, keyGroup := range tree.Metadata.KeyGroups { + for _, masterKey := range keyGroup { + kmsMasterKey, ok := (masterKey).(*kms.MasterKey) + if ok { + kmsMasterKey.AwsProfile = awsProfile + } + } + } + } + return tree, nil } diff --git a/cmd/sops/decrypt.go b/cmd/sops/decrypt.go index db038787b..f5a13a03e 100644 --- a/cmd/sops/decrypt.go +++ b/cmd/sops/decrypt.go @@ -23,15 +23,17 @@ type decryptOpts struct { Extract []interface{} KeyServices []keyservice.KeyServiceClient DecryptionOrder []string + UseAwsProfile string } func decryptTree(opts decryptOpts) (tree *sops.Tree, err error) { tree, err = common.LoadEncryptedFileWithBugFixes(common.GenericDecryptOpts{ - Cipher: opts.Cipher, - InputStore: opts.InputStore, - InputPath: opts.InputPath, - IgnoreMAC: opts.IgnoreMAC, - KeyServices: opts.KeyServices, + Cipher: opts.Cipher, + InputStore: opts.InputStore, + InputPath: opts.InputPath, + IgnoreMAC: opts.IgnoreMAC, + KeyServices: opts.KeyServices, + UseAwsProfile: opts.UseAwsProfile, }) if err != nil { return nil, err diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 42883ff37..debdbba84 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -743,6 +743,10 @@ func main() { Usage: "comma separated list of decryption key types", EnvVar: "SOPS_DECRYPTION_ORDER", }, + cli.StringFlag{ + Name: "aws-profile", + Usage: "The AWS profile to use for requests to AWS", + }, }, keyserviceFlags...), Action: func(c *cli.Context) error { if c.Bool("verbose") { @@ -796,6 +800,7 @@ func main() { KeyServices: svcs, DecryptionOrder: order, IgnoreMAC: c.Bool("ignore-mac"), + UseAwsProfile: c.String("aws-profile"), }) if err != nil { return toExitError(err)