Error when trying to decrypt message

[petems]

How do I provide credentials to decrypt a message?

When I encrypt, I can provide them on the command line:

AWS_ACCESS_KEY_ID=REDACTED AWS_SECRET_ACCESS_KEY=REDACTED /opt/puppetlabs/puppet/bin/eyaml encrypt -l 'message' -s 'hello there'
[hiera-eyaml-core] Loaded config from /etc/eyaml/config.yaml
message: ENC[KMS,AQECAHj3yIvGBIAsLWZnpwx/lseeWRWW1gf52/S4+h2vKOig6wAAAGkwZwYJKoZIhvcNAQcGoFowWAIBADBTBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDDzD+gXEbccCezPnCgIBEIAmpbU8o4fDPxUCOQ/avY+uwoH+zLSsLh2bqUnvf3uImw8OxRhTKWY=]

OR

message: >
    ENC[KMS,AQECAHj3yIvGBIAsLWZnpwx/lseeWRWW1gf52/S4+h2vKOig6wAAAGkwZwYJ
    KoZIhvcNAQcGoFowWAIBADBTBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEE
    DDzD+gXEbccCezPnCgIBEIAmpbU8o4fDPxUCOQ/avY+uwoH+zLSsLh2bqUnv
    f3uImw8OxRhTKWY=]

But this doesn't work (nor is practical) for agent runs.

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, unable to sign request without credentials set at /etc/puppetlabs/code/environments/production/site/profile/manifests/eyaml_notify.pp:2:20 on node pe-201621-master.puppetdebug.vlan
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

class profile::eyaml_notify {
  $eyaml_message = hiera('encrypted_message', 'Eyaml not setup yet')

  notify{$eyaml_message:}
}

---
encrypt_method: 'KMS'
kms_key_id: REDACTED
kms_aws_region: 'eu-west-1'

# managed by puppet

---
:backends:
  - yaml
  - eyaml

:logger: console

:hierarchy:
  - common
  - eyaml_common

:eyaml:
  :datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata
  :encrypt_method: 'KMS'
  :kms_key_id: REDACTED
  :kms_aws_region: 'eu-west-1'

:yaml:
  :datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata

[adenot]

@petems, the recommended way to pass the credentials is using IAM Instance Roles into your EC2 machine. The credentials will be available system-wide.
If you cannot set an instance role, you need to set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables into the system before/during running puppet.
You can set on puppet using: Exec { environment => [ "foo=$bar" ] } or set system-wide on /etc/environment.

[petems]

@adenot Do they have to be stored in the ENV? Anyone logging into the machine would be able to see them in the environment.

They can't be read from ~/.aws/credentials like documented in http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs?

Would you accept a PR to be able to set the API credentials in a config file?

[adenot]

I believe if you set the environment using puppet it wouldn't be available system-wide, only for puppet run.

Using ~/.aws/credentials should work as hiera-eyaml-kms uses the official Ruby AWS SDK.

[petems]

@adenot Can you give an example or point to the docs on how to set an IAM role for the Puppet master which would have permissions to the key?

[adenot]

This will allow encrypt and decrypt a specific key:

{
    "PolicyVersion": {
        "CreateDate": "2015-08-25T04:57:22Z",
        "VersionId": "v3",
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "kms:Decrypt",
                        "kms:Encrypt"
                    ],
                    "Resource": [
                        "PUT YOUR KMS KEY ARN HERE"
                    ],
                    "Effect": "Allow",
                    "Sid": "Stmt1438061110000"
                }
            ]
        },
        "IsDefaultVersion": true
    }
}

For more information: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html