-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using AWS KMS in Terraform Cloud #79
Comments
For 1., this is never going to work: the sops provider (actually sops itself) doesn't know anything about the AWS provider and the settings you configure in the AWS provider are only local to that provider. So, if the AWS provider manages to assume a new role and get temporary credentials for this role, it will not set anything "outside" of the provider and you can't reuse it for sops. For 2., you are almost there:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I’m facing an issue currently where I get the following error
This appears to be tied to a lack of AWS permissions to use the key. I’m not sure what I’m missing or need to do to make this function. I’ve tried the following:
With the variables assigned via the terraform cloud UI, this pattern works for our other use cases. In addition, because I was concerned about a provider initialization order issue, I put this AWS provider above sops, and put in the following to ensure that AWS was fully functional before Sops attempted to decrypt:
The user here has the permission for the role specified in the associated sops file:
These two methods did not resolve the issue, so I feel like I'm either missing something foundational, or there is unexpected behaviour here.
My theories are around the way the provider (via sops, via the aws SDK) is acting is somehow misbehaving, but I admit that my attempts to follow the code and debug stalled out a bit in the middle of the sops decrypt package.
The text was updated successfully, but these errors were encountered: