Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOPS collection doesn't see environment variables set with Ansible environment keyword at the task level. #46

Closed
ckarwicki opened this issue Jan 7, 2021 · 8 comments · Fixed by #47
Closed

SOPS collection doesn't see environment variables set with Ansible environment keyword at the task level. #46

ckarwicki opened this issue Jan 7, 2021 · 8 comments · Fixed by #47

Comments

@ckarwicki
Copy link

SUMMARY

SOPS collection doesn't see environment variables set with Ansible environment keyword at the task level.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

community.sops.load_vars

ANSIBLE VERSION
ansible 2.9.9
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/opt/ansible/lib/python3.6/site-packages/ansible
  executable location = /bin/ansible
  python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
CONFIGURATION
OS / ENVIRONMENT

CentOS Linux 7 (Core), Linux 3.10.0-1127.10.1.el7.x86_64

STEPS TO REPRODUCE

A role with a community.sops.load_vars and environment keyword.

- name: Load SOPS Secrets.
  environment:
    AWS_ACCESS_KEY_ID: "{{ AWS_ACCESS_KEY_ID }}"
    AWS_SECRET_ACCESS_KEY: "{{ AWS_SECRET_ACCESS_KEY }}"
  community.sops.load_vars:
    file: "roles/my-role/dev-secrets.yml"
EXPECTED RESULTS

community.sops.load_vars should use provided environment variables and decrypt secret with KMS key.

ACTUAL RESULTS

community.sops.load_vars throws error that access is denied to the key. However same task works if ~/.aws/credentials is present:
[defualt]
AWS_ACCESS_KEY_ID=<>
AWS_SECRET_ACCESS_KEY=<>
So it looks community.sops.load_vars cannot see environment variables set with environment keyword. sops executable works with environment variables:
AWS_ACCESS_KEY_ID=<> AWS_SECRET_ACCESS_KEY=<> sops --kms "arn:aws:kms:..." -d roles/my-role/dev-secrets.yml

ESC[1;30mtask path: /tmp/ansible-pull-common/roles/my-role/tasks/main.yml:41ESC[0m
ESC[0;31mfatal: [test.us-east-1.dev.in]: FAILED! => {"changed": false, "message": "error with file /tmp/ansible-pull-common/roles/my-role/vars/dev-secrets.yml: CouldNotRetrieveKey exited with code 128: Failed to get the data key required to decrypt the SOPS file.\n\nGroup 0: FAILED\n  arn:aws:kms:...: FAILED\n    - | Error decrypting key: AccessDeniedException: The ciphertext\n      | refers to a customer master key that does not exist, does\n      | not exist in this region, or you are not allowed to access.\n      | \tstatus code: 400, request id:\n      | 9c8b4a35-115d-4f64-9685-b86d47e8a66a\n\nRecovery failed because no master key was able to decrypt the file. In\norder for SOPS to recover the file, at least one key has to be successful,\nbut none were.\n"}ESC[0m
@felixfontein
Copy link
Collaborator

load_vars is an action plugin, not a module. Environment variables are passed to the remote node when executing a module, they are not processed by the controller (which executes the action plugin). I'm not sure there is any way to work around this.

@ckarwicki
Copy link
Author

ckarwicki commented Jan 7, 2021
edited
Loading

Thanks. Would the plugin work with EC2 attached role if our controller is the EC2 host on which we execute Ansible playbook and try to decrypt secret with a role? Or would it still expect profile with keys in ~/.aws/credentials?

sops: kms: - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e role: arn:aws:iam::927034868273:role/sops-dev-xyz

@felixfontein
Copy link
Collaborator

Right now you either need to set the env variables before running ansible-playbook, or you need to use other configuration methods available by sops.

I've discussed this a bit on #ansible-devel, the best resolution is probably to add module options for all sops configurations and pass them on to the sops call. I'll work on that soon, but not today :)

@ckarwicki
Copy link
Author

Thanks for getting back. This would be very nice feature. For the time being will go with AWS profile as I know it is working.

@felixfontein felixfontein mentioned this issue Jan 9, 2021
Merged
@felixfontein
Copy link
Collaborator

Your problem should be solved by #47.

@endorama
Copy link
Collaborator

Hello @ckarwicki, looking at your question

Thanks. Would the plugin work with EC2 attached role if our controller is the EC2 host on which we execute Ansible playbook and try to decrypt secret with a role? Or would it still expect profile with keys in ~/.aws/credentials?

I would say it works out of the box, as confirmed in this mozilla/sops issue. Please note that there are some issues related to AWS profile and roles decrypting (see getsops/sops#474 and getsops/sops#634)

@ckarwicki
Copy link
Author

Thanks. It is very helpful. Also, I found that when host assumes role that has access to KMS then sops plugin can be just executed from it and it will have access to KMS - you don't need to provide AWS keys in environment variables or in AWS profile. sops takes it from STS credentials the host gets when it assumes role.

@endorama
Copy link
Collaborator

I would close this as solved, work on #47 will continue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow to pass more sops arguments felixfontein/community.sops
3 participants
@endorama @felixfontein @ckarwicki