Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terragrunt's sops_decrypt_file() does not work with GOOGLE_CREDENTIALS environment variable #2472

Closed
maciekTree opened this issue Feb 28, 2023 · 3 comments · Fixed by #2549
Closed

Terragrunt's sops_decrypt_file() does not work with GOOGLE_CREDENTIALS environment variable #2472

maciekTree opened this issue Feb 28, 2023 · 3 comments · Fixed by #2549
Labels
bug Something isn't working p:needs triage Needs to be processed by maintainer and issue type / priority added

Comments

@maciekTree
Copy link

maciekTree commented Feb 28, 2023
edited

Hi
We use GOOGLE_CREDENTIALS with the service account's private key in our CI to authenticate with GCP. Recently, we decided to add sops_decrypt_file() to our CI to pass some credentials down to the module which is supposed to work with GOOGLE_CREDENTIALS according to this PR but we are consistently getting:

Call to function "sops_decrypt_file" failed: Error getting data key: 0 successful groups required, got 0.

We are running sops v3.7.3. I was able to reproduce this error on my local with a dummy Terragrunt/Terraform module and only GOOGLE_CREDENTIALS set.
Binary sops --decrypt secretsfile.yaml works fine. Only sops_decrypt_file() doesn't.

The very same Terragrunt/Terraform configuration works fine when using application default credentials.

Does sops_decrypt_file() work with GOOGLE_CREDENTIALS?

Terraform v1.3.9
terragrunt version v0.44.0
sops 3.7.3 (latest)
@denis256 denis256 added bug Something isn't working p:needs triage Needs to be processed by maintainer and issue type / priority added labels Mar 1, 2023
@maciekTree
Copy link
Author

Would anyone be able to look at this? I can see GOOGLE_CREDENTIALS have been added in #907 a long time ago. Is there a chance sops_decrypt_file() is not using them correctly?

@Tensho
Copy link

Tensho commented Mar 28, 2023
edited

We have the same problem, it blocks us from using GCP federated authentication in CircleCI.

@phandox
Copy link

phandox commented May 1, 2023
edited

Bychecking the go.mod I see that terragrunt uses sops v3.7.2 but the feature in mentioned PR is in v3.7.3 (

terragrunt/go.mod

Line 32 in d185ed9

go.mozilla.org/sops/v3 v3.7.2
). Can we bump up the sops library used by Terragrunt?

@denis256 denis256 mentioned this issue May 1, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working p:needs triage Needs to be processed by maintainer and issue type / priority added
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Mozilla Sops upgrade to v3.7.3 gruntwork-io/terragrunt
4 participants
@Tensho @phandox @denis256 @maciekTree