SOPS won't decrypt a file if encrypted with an AssumedRole (and trying to decrypt without it using the same key)

Question

I'm looking into SOPS as a possible solution for us to encrypt secrets and push them to our repo.

I've been playing around with it and it's exactly what I need, except for a small issue. I'm hoping this is me just not finding the right documentation.

For the sake of simplicity let's say we have 2 AWS accounts, A and B.

In account A we've got:

• Our "human" users who will be encrypting/decrypting secrets from their local machines.
• KMS key
• Role that users from other accounts can assume to use that KMS key.

In account B:

• User a Jenkins script will use to decrypt secrets

To encrypt a file with my local user I'm doing:

sops --kms arnofthekey -e -i filename.yaml

And to decrypt it:

 sops --kms arnofthekey -d -i filename.yaml

Works like a charm.

If I do it as my Jenkins user:

sops --kms arnOfTheKey+arnOfTheRole -e -i filename.yaml
sops --kms arnOfTheKey+arnOfTheRole -d -i filename.yaml

Everything works like a charm as long as I encrypt/decrypt in the same place.

I then tried to encrypt with Jenkins and decrypt locally. I got an error informing me I'm not allowed to asssume the role Jenkins used. Which is absolutely true.

Here's what I don't understand, the KMS key is the same one in both cases. However, I can see the encrypted file keeps a record of the role. I thought since the key is the same, this should work.

Is there some sort of configuration I'm missing?

Thanks!

Answer 1

Digging a bit more I found an open ticket from a year ago. I guess, at the moment, this is something that can't be done directly with sops.

https://github.com/mozilla/sops/issues/555

The solution I found was allowing my human users to assume the same role Jenkins does. Should've thought about it earlier :)