getsops · anandavj · Nov 19, 2024 · Nov 18, 2024 · Nov 18, 2024 · Nov 25, 2024
diff --git a/cmd/sops/main.go b/cmd/sops/main.go
@@ -501,6 +501,14 @@ func main() {
 							Name:  "aws-profile",
 							Usage: "The AWS profile to use for requests to AWS",
 						},
+						cli.StringFlag{
+							Name:  "aws-kms-endpoint",
+							Usage: "The AWS KMS Endpoint to use for requests to AWS. Ex: https://kms.ap-southeast-2.amazonaws.com",
+						},
+						cli.StringFlag{
+							Name:  "aws-sts-endpoint",
+							Usage: "The AWS STS Endpoint to use for requests to AWS. Ex: https://sts.ap-southeast-2.amazonaws.com",
+						},
 						cli.StringSliceFlag{
 							Name:  "gcp-kms",
 							Usage: "the GCP KMS Resource ID the new group should contain. Can be specified more than once",
@@ -545,7 +553,7 @@ func main() {
 							group = append(group, pgp.NewMasterKeyFromFingerprint(fp))
 						}
 						for _, arn := range kmsArns {
-							group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context")), c.String("aws-profile")))
+							group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context")), c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")))
 						}
 						for _, kms := range gcpKmses {
 							group = append(group, gcpkms.NewMasterKeyFromResourceID(kms))
@@ -852,6 +860,14 @@ func main() {
 					Name:  "aws-profile",
 					Usage: "The AWS profile to use for requests to AWS",
 				},
+				cli.StringFlag{
+					Name:  "aws-kms-endpoint",
+					Usage: "The AWS KMS Endpoint to use for requests to AWS",
+				},
+				cli.StringFlag{
+					Name:  "aws-sts-endpoint",
+					Usage: "The AWS STS Endpoint to use for requests to AWS",
+				},
 				cli.StringFlag{
 					Name:   "gcp-kms",
 					Usage:  "comma separated list of GCP KMS resource IDs",
@@ -1169,6 +1185,14 @@ func main() {
 					Name:  "aws-profile",
 					Usage: "The AWS profile to use for requests to AWS",
 				},
+				cli.StringFlag{
+					Name:  "aws-kms-endpoint",
+					Usage: "The AWS KMS Endpoint to use for requests to AWS",
+				},
+				cli.StringFlag{
+					Name:  "aws-sts-endpoint",
+					Usage: "The AWS STS Endpoint to use for requests to AWS",
+				},
 				cli.StringFlag{
 					Name:   "gcp-kms",
 					Usage:  "comma separated list of GCP KMS resource IDs",
@@ -1529,6 +1553,14 @@ func main() {
 			Name:  "aws-profile",
 			Usage: "The AWS profile to use for requests to AWS",
 		},
+		cli.StringFlag{
+			Name:  "aws-kms-endpoint",
+			Usage: "The AWS KMS Endpoint to use for requests to AWS",
+		},
+		cli.StringFlag{
+			Name:  "aws-sts-endpoint",
+			Usage: "The AWS STS Endpoint to use for requests to AWS",
+		},
 		cli.StringFlag{
 			Name:   "gcp-kms",
 			Usage:  "comma separated list of GCP KMS resource IDs",
@@ -2006,7 +2038,7 @@ func getEncryptConfig(c *cli.Context, fileName string) (encryptConfig, error) {
 
 func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) {
 	var masterKeys []keys.MasterKey
-	for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile")) {
+	for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")) {
 		masterKeys = append(masterKeys, k)
 	}
 	for _, k := range pgp.MasterKeysFromFingerprintString(c.String(pgpOptionName)) {
@@ -2185,7 +2217,7 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
 		return nil, common.NewExitError("Invalid KMS encryption context format", codes.ErrorInvalidKMSEncryptionContextFormat)
 	}
 	if c.String("kms") != "" {
-		for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext, c.String("aws-profile")) {
+		for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext, c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")) {
 			kmsKeys = append(kmsKeys, k)
 		}
 	}

diff --git a/config/config.go b/config/config.go
@@ -100,10 +100,12 @@ type gcpKmsKey struct {
 }
 
 type kmsKey struct {
-	Arn        string             `yaml:"arn"`
-	Role       string             `yaml:"role,omitempty"`
-	Context    map[string]*string `yaml:"context"`
-	AwsProfile string             `yaml:"aws_profile"`
+	Arn            string             `yaml:"arn"`
+	Role           string             `yaml:"role,omitempty"`
+	Context        map[string]*string `yaml:"context"`
+	AwsProfile     string             `yaml:"aws_profile"`
+	AwsKmsEndpoint string             `yaml:"aws_kms_endpoint"`
+	AwsStsEndpoint string             `yaml:"aws_sts_endpoint"`
 }
 
 type azureKVKey struct {
@@ -130,6 +132,8 @@ type creationRule struct {
 	PathRegex               string `yaml:"path_regex"`
 	KMS                     string
 	AwsProfile              string `yaml:"aws_profile"`
+	AwsKmsEndpoint          string `yaml:"aws_kms_endpoint"`
+	AwsStsEndpoint          string `yaml:"aws_sts_endpoint"`
 	Age                     string `yaml:"age"`
 	PGP                     string
 	GCPKMS                  string     `yaml:"gcp_kms"`
@@ -218,7 +222,7 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
 		keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
 	}
 	for _, k := range group.KMS {
-		keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile))
+		keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile, k.AwsKmsEndpoint, k.AwsStsEndpoint))
 	}
 	for _, k := range group.GCPKMS {
 		keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
@@ -261,7 +265,7 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 		for _, k := range pgp.MasterKeysFromFingerprintString(cRule.PGP) {
 			keyGroup = append(keyGroup, k)
 		}
-		for _, k := range kms.MasterKeysFromArnString(cRule.KMS, kmsEncryptionContext, cRule.AwsProfile) {
+		for _, k := range kms.MasterKeysFromArnString(cRule.KMS, kmsEncryptionContext, cRule.AwsProfile, cRule.AwsKmsEndpoint, cRule.AwsStsEndpoint) {
 			keyGroup = append(keyGroup, k)
 		}
 		for _, k := range gcpkms.MasterKeysFromResourceIDString(cRule.GCPKMS) {

diff --git a/keyservice/keyservice.go b/keyservice/keyservice.go
@@ -53,10 +53,12 @@ func KeyFromMasterKey(mk keys.MasterKey) Key {
 		return Key{
 			KeyType: &Key_KmsKey{
 				KmsKey: &KmsKey{
-					Arn:        mk.Arn,
-					Role:       mk.Role,
-					Context:    ctx,
-					AwsProfile: mk.AwsProfile,
+					Arn:            mk.Arn,
+					Role:           mk.Role,
+					Context:        ctx,
+					AwsProfile:     mk.AwsProfile,
+					AwsKmsEndpoint: mk.AwsKmsEndpoint,
+					AwsStsEndpoint: mk.AwsStsEndpoint,
 				},
 			},
 		}

diff --git a/keyservice/keyservice.pb.go b/keyservice/keyservice.pb.go
diff --git a/keyservice/keyservice.proto b/keyservice/keyservice.proto
@@ -22,6 +22,8 @@ message KmsKey {
 	string role = 2;
 	map<string, string> context = 3;
 	string aws_profile = 4;
+	string aws_kms_endpoint = 5;
+	string aws_sts_endpoint = 6;
 }
 
 message GcpKmsKey {

diff --git a/keyservice/server.go b/keyservice/server.go
@@ -323,5 +323,7 @@ func kmsKeyToMasterKey(key *KmsKey) kms.MasterKey {
 		Role:              key.Role,
 		EncryptionContext: ctx,
 		AwsProfile:        key.AwsProfile,
+		AwsKmsEndpoint:    key.AwsKmsEndpoint,
+		AwsStsEndpoint:    key.AwsStsEndpoint,
 	}
 }