Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Azure Keyvaults With Different Environments #1423

Open
daveneeley opened this issue Jan 27, 2024 · 0 comments
Open

Multiple Azure Keyvaults With Different Environments #1423

daveneeley opened this issue Jan 27, 2024 · 0 comments

Comments

@daveneeley
Copy link

I have a file that is encrypted with an Azure keyvault key from Azure cloud. I want to encrypt with an additional key from a vault in Azure US Government cloud. I'm using CLI mode. I understand that I can set AZURE_ENVIROMENT=AzureUsGovernmentCloud to use that cloud. Unfortunately sops applies the same credential for both azure keys and one will always fail to encrypt with 401 Unauthorized.

Start with a .sops.yaml like this:

creation_rules:
- path_rules: secrets.yaml
  azure_keyvault: https://myvault.vault.azure.net/keys/mykey/someversion

Steps to validate current config:

az cloud set --name azurecloud
az account set --subscription my-cloud-sub
sops -d secrets.yaml

Add the us gov key, updating sops.yaml to something like this:

creation_rules:
- path_rules: secrets.yaml
  azure_keyvault: https://myvault.vault.usgovcloudapi.net/keys/mygovkey/someversion,https://myvault.vault.azure.net/keys/mykey/someversion

Steps (fails with 401):

az cloud set --name azureusgovernment
az account set --subscription my-gov-sub
AZURE_ENVIRONMENT='AzureUsGovernmentCloud' sops updatekeys secrets.yaml

Note failure:

error updating one or more master keys: [failed to encrypt new data key with master key "https://myvault.vault.azure.net/keys/mykey/someversion": failed to encrypt sops data key with Azure Key Vault key 'https://myvault.vault.azure.net/keys/mykey/someversion': POST https://myvault.vault.azure.net/keys/mykey/someversion/encrypt
--------------------------------------------------------------------------------
RESPONSE 401: 401 Unauthorized
ERROR CODE: Unauthorized
--------------------------------------------------------------------------------
{
  "error": {
    "code": "Unauthorized",
    "message": "AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<azure cloud tenant id>/, found https://sts.windows.net/<azure gov cloud tenant id>/."
  }
}
--------------------------------------------------------------------------------
]

Based on the order of operations, I assume the gov encryption key was used successfully? The error states the original azure key (which is listed second in the example file) cannot be used because the login context is for the government cloud.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daveneeley