support --kms, --aws-profile options when decryption
#471
Comments
|
I think what you're saying is somewhat similar in scope to #305. Does the workaround suggested there work for you? |
|
@autrilla In my case, KMS ignorance is not so important so that |
|
I think this is distinct. We've got a similar issue. We have users that encrypt data on their local machines using one AWS role and the CI server which will decrypt using a different AWS role. The idiomatic way to do this in sops seems to be the following in the The issue is, the CI server can not assume the |
|
@ChrisCooney Could you use the kms key ARN without including the role? Would require authing to the AWS role out of bound of sops, but would solve your problem. |
That is our present workaround, but without the role there are like five AWS environment variables that need to be set. This is mitigated by engineers passing around scripts they've bundled together to set the correct environment variables, but it is quite undesirable. The simple ability to override the role at runtime would be far more preferable and create a much better use journey. |
|
So we've found a slightly easier way of handling this that we're going with for the time being. It was found by a few engineers that I work with. If you export the following env vars: Sops will encrypt and decrypt using that role and your config doesn't need to change. This is a much nicer workaround than manually authing all the time. |
|
This definitely needs a patch. CD environments shouldn't assume any other role besides their own and probably hardcoding Taking a look at the code right now, will take a stab at it 👍 |
I think that options should be passed when decryption like
But, this proposal may be not appropriate to this project. Do you think about it?
The text was updated successfully, but these errors were encountered: