Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

path_regex is matching on relative path of working directory only #465

Closed
kentso opened this issue May 15, 2019 · 4 comments
Closed

path_regex is matching on relative path of working directory only #465

kentso opened this issue May 15, 2019 · 4 comments

Comments

@kentso
Copy link
Contributor

kentso commented May 15, 2019

I have such set up in .sops.yaml which is located in the project root:

creation_rules:
    - path_regex: .*staging.*
      key_groups:
      - kms:
        - arn: 'arn:aws:kms:*:**:key/aa'
          role: arn:aws:iam::**:role/staging-role
          context:
            Environment: staging

    - path_regex: .*production.*
      key_groups:
      - kms:
        - arn: 'arn:aws:kms:*:**:key/aa'
          role: arn:aws:iam::**:role/production-role
          context:
            Environment: production

    - kms: 'arn:aws:kms:*:**:key/bb'

When I try to encrypt my secret

  • current working director: <project_root>/asia/production/a/b/c/
  • command: sops secrets.enc.yaml

The encrypted file did not use the expected rule for production, instead it used the fallback rule which is using kms key arn:aws:kms:*:**:key/bb.

To make this work, I need to specify the matching regex part in the path like this:

  • current working director: <project_root>/asia/production/a/b/c/
  • command: sops ../../../../production/a/b/c/secrets.enc.yaml

or

  • current working director: <project_root>/
  • command: sops asia/production/a/b/c/secrets.enc.yaml

i.e. production must be in the path passing to sops.

There is no extra explanation in README saying what path path_regex is matching to.
https://github.com/mozilla/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files

I am expecting path_regex with be matching the path starting from the .sops.yaml it belongs to. Then my first case will work as expected.

PS. I have not tested but I think it is possible to create a .sops.yaml under every environment (e.g. /asia/prodcution/.sops.yaml, /eu/staging/.sops.yaml) to achieve what I want to do. However it will be tedious as the environment combination can grow large.
@autrilla
Copy link
Contributor

autrilla commented May 15, 2019
edited
Loading

This is kind of like #242

@autrilla
Copy link
Contributor

I think a simple solution that would do what you want is expanding the path here:

https://github.com/mozilla/sops/blob/8f804bce1c96267fac61278e98f462f9413cda37/cmd/sops/main.go#L433

Such that for instance if you call sops secrets.enc.yaml, it would evaluate secrets.enc.yaml to the full path.

@kentso kentso mentioned this issue May 16, 2019
Merged
@kentso
Copy link
Contributor Author

kentso commented May 16, 2019

Thanks for the answer.
I have created a pull request #466
Can you have a check?

@autrilla
Copy link
Contributor

Fixed by #466

@michael-k michael-k mentioned this issue Jun 12, 2019
Open
@mhyllander mhyllander mentioned this issue Jun 24, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@autrilla @kentso