Skip to content

Allow SOPS to use custom AWS KMS and STS Endpoint #1679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Allow SOPS to use custom AWS KMS and STS Endpoint #1679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 35 additions & 3 deletions cmd/sops/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,14 @@ func main() {
Name: "aws-profile",
Usage: "The AWS profile to use for requests to AWS",
},
cli.StringFlag{
Name: "aws-kms-endpoint",
Usage: "The AWS KMS Endpoint to use for requests to AWS. Ex: https://kms.ap-southeast-2.amazonaws.com",
},
cli.StringFlag{
Name: "aws-sts-endpoint",
Usage: "The AWS STS Endpoint to use for requests to AWS. Ex: https://sts.ap-southeast-2.amazonaws.com",
},
cli.StringSliceFlag{
Name: "gcp-kms",
Usage: "the GCP KMS Resource ID the new group should contain. Can be specified more than once",
Expand Down Expand Up @@ -572,7 +580,7 @@ func main() {
group = append(group, pgp.NewMasterKeyFromFingerprint(fp))
}
for _, arn := range kmsArns {
group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context")), c.String("aws-profile")))
group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context")), c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")))
}
for _, kms := range gcpKmses {
group = append(group, gcpkms.NewMasterKeyFromResourceID(kms))
Expand Down Expand Up @@ -890,6 +898,14 @@ func main() {
Name: "aws-profile",
Usage: "The AWS profile to use for requests to AWS",
},
cli.StringFlag{
Name: "aws-kms-endpoint",
Usage: "The AWS KMS Endpoint to use for requests to AWS",
},
cli.StringFlag{
Name: "aws-sts-endpoint",
Usage: "The AWS STS Endpoint to use for requests to AWS",
},
cli.StringFlag{
Name: "gcp-kms",
Usage: "comma separated list of GCP KMS resource IDs",
Expand Down Expand Up @@ -1228,6 +1244,14 @@ func main() {
Name: "aws-profile",
Usage: "The AWS profile to use for requests to AWS",
},
cli.StringFlag{
Name: "aws-kms-endpoint",
Usage: "The AWS KMS Endpoint to use for requests to AWS",
},
cli.StringFlag{
Name: "aws-sts-endpoint",
Usage: "The AWS STS Endpoint to use for requests to AWS",
},
cli.StringFlag{
Name: "gcp-kms",
Usage: "comma separated list of GCP KMS resource IDs",
Expand Down Expand Up @@ -1602,6 +1626,14 @@ func main() {
Name: "aws-profile",
Usage: "The AWS profile to use for requests to AWS",
},
cli.StringFlag{
Name: "aws-kms-endpoint",
Usage: "The AWS KMS Endpoint to use for requests to AWS",
},
cli.StringFlag{
Name: "aws-sts-endpoint",
Usage: "The AWS STS Endpoint to use for requests to AWS",
},
cli.StringFlag{
Name: "gcp-kms",
Usage: "comma separated list of GCP KMS resource IDs",
Expand Down Expand Up @@ -2085,7 +2117,7 @@ func getEncryptConfig(c *cli.Context, fileName string) (encryptConfig, error) {

func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) {
var masterKeys []keys.MasterKey
for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile")) {
for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")) {
masterKeys = append(masterKeys, k)
}
for _, k := range pgp.MasterKeysFromFingerprintString(c.String(pgpOptionName)) {
Expand Down Expand Up @@ -2274,7 +2306,7 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
return nil, common.NewExitError("Invalid KMS encryption context format", codes.ErrorInvalidKMSEncryptionContextFormat)
}
if c.String("kms") != "" {
for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext, c.String("aws-profile")) {
for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext, c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")) {
kmsKeys = append(kmsKeys, k)
}
}
Expand Down
16 changes: 10 additions & 6 deletions config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,10 +143,12 @@ type gcpKmsKey struct {
}

type kmsKey struct {
Arn string `yaml:"arn"`
Role string `yaml:"role,omitempty"`
Context map[string]*string `yaml:"context"`
AwsProfile string `yaml:"aws_profile"`
Arn string `yaml:"arn"`
Role string `yaml:"role,omitempty"`
Context map[string]*string `yaml:"context"`
AwsProfile string `yaml:"aws_profile"`
AwsKmsEndpoint string `yaml:"aws_kms_endpoint"`
AwsStsEndpoint string `yaml:"aws_sts_endpoint"`
}

type azureKVKey struct {
Expand All @@ -173,6 +175,8 @@ type creationRule struct {
PathRegex string `yaml:"path_regex"`
KMS string
AwsProfile string `yaml:"aws_profile"`
AwsKmsEndpoint string `yaml:"aws_kms_endpoint"`
AwsStsEndpoint string `yaml:"aws_sts_endpoint"`
Age string `yaml:"age"`
PGP string
GCPKMS string `yaml:"gcp_kms"`
Expand Down Expand Up @@ -261,7 +265,7 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
}
for _, k := range group.KMS {
keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile))
keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile, k.AwsKmsEndpoint, k.AwsStsEndpoint))
}
for _, k := range group.GCPKMS {
keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
Expand Down Expand Up @@ -304,7 +308,7 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
for _, k := range pgp.MasterKeysFromFingerprintString(cRule.PGP) {
keyGroup = append(keyGroup, k)
}
for _, k := range kms.MasterKeysFromArnString(cRule.KMS, kmsEncryptionContext, cRule.AwsProfile) {
for _, k := range kms.MasterKeysFromArnString(cRule.KMS, kmsEncryptionContext, cRule.AwsProfile, cRule.AwsKmsEndpoint, cRule.AwsStsEndpoint) {
keyGroup = append(keyGroup, k)
}
for _, k := range gcpkms.MasterKeysFromResourceIDString(cRule.GCPKMS) {
Expand Down
124 changes: 73 additions & 51 deletions keyservice/keyservice.pb.go
View file
Open in desktop
Copy link
Contributor

@felixfontein felixfontein Dec 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is automatically generated, you should not manually modify it, but instead modify the protobuf definition and re-generate it. Right now protobuf regeneration doesn't work (see #1576) though, but I hope that will get fixed soon.

Copy link
Author

@anandavj anandavj Dec 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the review, I've modify the protobuf definition and re-generate it
I use #1688 makefile but I won't include it on this PR as it's already covered in another PR

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions keyservice/keyservice.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ message KmsKey {
string role = 2;
map<string, string> context = 3;
string aws_profile = 4;
string aws_kms_endpoint = 5;
string aws_sts_endpoint = 6;
}

message GcpKmsKey {
Expand Down
2 changes: 2 additions & 0 deletions keyservice/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,5 +323,7 @@ func kmsKeyToMasterKey(key *KmsKey) kms.MasterKey {
Role: key.Role,
EncryptionContext: ctx,
AwsProfile: key.AwsProfile,
AwsKmsEndpoint: key.AwsKmsEndpoint,
AwsStsEndpoint: key.AwsStsEndpoint,
}
}
Loading