Failing decrypting from sops age key as environment variable. #80
Comments
|
+1 |
|
Hi! |
|
really appreciated! Thanks, Phillip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Calle,
First and foremost thanks for your great work with terraform sops provider.
To reduce the risk of having files containing secrets keys around the filesystem I have
applied the patch suggested on getsops/sops#946. This patch
will allow exposing the SOPS secret key as an environment variable rather than a key
file, moreover will enhance the automation experience with GH actions or any other CI
tool. Because the sops PR 946 actually solves a big problem, I took the matter on my
own hands and compiled a sops from PR496 which includes the possibility to expose
the private key such as SOPS_AGE_KEY environment variable.
I have generated a new age key pair and exposed as:
export SOPS_AGE_RECIPIENTS=age1foobarfoobarfoobarfoobar
export SOPS_AGE_KEY=AGE-SECRET-KEY-XXXXXXXXXYYYYYYYYYYYYZZZZZZZZZZ
Created a secret.yaml sops file and added some custom test secrets
with sops secret.yaml. This actually proves that SOPS_AGE_KEY works
as expected. However, when I tried to read those secrets from terraform
configured with sops provider I get this back.
│ Error: Error getting data key: 0 successful groups required, got 0
│
│ with data.sops_file.secrets,
│ on locals.tf line 2, in data "sops_file" "secrets":
│ 2: data "sops_file" "secrets" {
│
To me looks like the provider is not passing the SOPS_AGE_KEY variable.
But if I unset the SOPS_AGE_KEY and I use export SOPS_AGE_KEY_FILE="${PWD}/key.txt
everything works seamlessly and I'm able to read my secrets and create the resources
wanted.
Any idea would be really appreciated.
Best regards,
Phillip
The text was updated successfully, but these errors were encountered: