Problem when using sops (mozilla/sops)

[z0mbix]

sops works OK without aws-sso-fetcher using the AWS environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN), but when I introduce it, it doesn't.

When running with aws-sso-fetcher enabled, I get:

» sops -d secrets.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  arn:aws:kms:eu-west-1:XXXXXXXXXXXX:key/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX: FAILED
    - | Error decrypting key: ProcessProviderParseError: parse
      | failed of credential_process output: {
      |   "Version": 1,
      |   "AccessKeyId": "redacted",
      |   "SecretAccessKey":
      | "redacted",
      |   "SessionToken":
      | "redacted",
      |   "Expiration"
      | caused by: unexpected end of JSON input

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

I have the env var AWS_SDK_LOAD_CONFIG=1 set.

aws-sso-fetcher works fine with terraform/terragrunt and other tools I've tested.

My ~/.aws/config file is:

[profile nonprod]
credential_process = /Users/z0mbix/bin/Darwin/aws-sso-fetcher nonprod
sso_start_url = https://d-XXXXXXXXXX.awsapps.com/start
sso_region = eu-west-1
sso_account_id = XXXXXXXXXXXX
sso_role_name = AdministratorAccess
region = eu-west-1
output = json
cli_pager=

I'm using aws-sso-fetcher version 0.0.2 on Mac OS Catalina.

[flyinprogrammer]

hmmm interesting, i'll take a look later today

[flyinprogrammer]

sops --version
# sops 3.5.0 (latest)

seemed to work just fine ?

env | grep AWS
# AWS_PROFILE=hpydev_dev
# AWS_SDK_LOAD_CONFIG=1

and my secret:

foo: ENC[AES256_GCM,data:NwGVixNR5c6fxL5Sru/g9KoJor0c90RZhe6W9TQjS0DBzA==,iv:GJFwkJWCytq+gi+GGKVrwDkCRIiR2krJyA5t8TYu9Lk=,tag:xEsBAw+UtKAl8aGpkutS3g==,type:str]
sops:
    kms:
    -   arn: arn:aws:kms:us-east-2:1234:key/b6f13696-3e63-4a0d-aa75-d1e89e7e88c3
        created_at: '2020-06-06T02:25:46Z'
        enc: AQICAHhzM58JWmeSgiTCercxBIqOICfA/f1uqmmvKYe6p+I2QwGIpdYVbSK1QPyvVKX7pPDjAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMfkt5nvDoeHOrUShfAgEQgDv5hhIqG8ij2kSBr6Z94H++qvRYbi9Gl0vQTsQftW/72Am0Z+aI3rvflEdxn/FK+5hUDcO1ddPo70ABFQ==
        aws_profile: ""
    gcp_kms: []
    azure_kv: []
    lastmodified: '2020-06-06T02:26:28Z'
    mac: ENC[AES256_GCM,data:LMksmt8TxpaVBpK6GH9qS+3idTyUI/7NLePHV71D0ZKM22oKT/OQImTuyIhfhwfGX00urt8MrtfWusxPP9RiZTg139bBhqgLsst2+8VkqCj3viAuIyE5Od1jRVnSTUPXkvRTxFU47sgUNO3u/CkbqdNVteeCwlcYI8bDwzY8dis=,iv:UO90ZJUniX/FKnq/GV7uMydu1FleFrPq66paEkobLVk=,tag:8WEV1EzIIakkV8SzIe8lHg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.5.0

and my ~/.aws/config file:

[profile hpydev_dev]
sso_start_url = https://hpydev.awsapps.com/start/
sso_region = us-east-2
sso_account_id = 1234
sso_role_name = AWSAdministratorAccess
region = us-east-2
output = json
credential_process = /Users/ascherger/bin/aws-sso-fetcher hpydev_dev

i also didn't have an ~/.aws/credentials file.

and then when I don't have AWS_SDK_LOAD_CONFIG set:

> unset AWS_SDK_LOAD_CONFIG
> sops -d test.yml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  arn:aws:kms:us-east-2:912613430019:key/b6f13696-3e63-4a0d-aa75-d1e89e7e88c3: FAILED
    - | Error decrypting key: NoCredentialProviders: no valid
      | providers in chain. Deprecated.
      | 	For verbose messaging see
      | aws.Config.CredentialsChainVerboseErrors

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

[flyinprogrammer]

I think this commit 071f707 and v0.0.3 will not fix your problem at all - but perhaps it might. I'm certainly at a loss for how/what your problem might be, now that the print and cache functions are essentially identical.

Without being able to reproduce this issue it's kinda hard for me help.

[z0mbix]

Thanks for trying, but unfortunately it behaves exactly the same. The json output I get from running aws-sso-fetcher nonprod is fine, so I'm stumped!

[flyinprogrammer]

what version and distro of sops are you using ? and can you get me an md5 hash of it?

[flyinprogrammer]

you should see if using aws-vault fixes this: 99designs/aws-vault#549

[z0mbix]

I have v3.5.0 installed from homebrew which is:

» md5 $(which sops)
MD5 (/usr/local/bin/sops) = 8b123eae2f067b7908b3ac2dc4035e63

I then tried the same (latest) version from the sops github releases:

» md5 ~/Downloads/sops
MD5 (/Users/z0mbix/Dropbox/bin/Darwin/sops) = 5e33d979a31436b9fc3740df91421e2a

Both exhibit the same behaviour. I'll will give aws-vault a try.

[blagerweij]

I've found an issue in AWS SDK for Go lang: try storing the setting for credential_process not in ~/.aws/config file, but in ~/.aws/credentials instead. Although all documentation seems to imply to use the shared config file, it seems the Go credentials providers tries to find the key in the credentials file.

Also remember that the credentials file does not use the 'profile ' prefix, so try the following in ~/.aws/credentials:

[nonprod]
credential_process = /Users/z0mbix/bin/Darwin/aws-sso-fetcher nonprod

[flyinprogrammer]

it seems the Go credentials providers tries to find the key in the credentials file.

is only a Go thing as far as i can tell, and is a bit madness. You should find running export AWS_SDK_LOAD_CONFIG=1 gets you back into cross-language support territory.

Since I can't reproduce this, and because this software is being deprecated, I would encourage you to check out https://github.com/99designs/aws-vault/releases/tag/v6.0.0-beta5 -- they support SSO with this release, and much much more, with a much larger group of folks.