Obscure error when using KMS alias with AWS

[jecnua]

Hi all,

I tried to use a SOPs file with a KMS alias with your provider but I received the following obscuring error.

Error: Error getting data key: 0 successful groups required, got 0

I tried the same sops file with the original key and with the alias.
The cli works correctly in both cases but terraform provider fails when the alias is declared.

How to reproduce?

data "sops_file" "secret_file" {
  source_file = "sops/key-dev.json"
}

and a sops file with key/alias declared.

Versions

$ terraform version
Terraform v0.12.20
+ provider.aws v2.49.0
+ provider.sops (unversioned) <-- v0.3.2

On MacOS Catalina 10.15.3

[carlpett]

Hi @jecnua,
Agree that the error is a bit vague, but that is something that needs to be fixed in the upstream sops library.
Could you first see if the error is still present if you upgrade to the latest release (v0.5)? The sops library is updated since v0.3.2, so there could be bugs fixed upstream.

[victorboissiere]

Same issue with latest release

[jecnua]

Thanks @victorboissiere . Sorry I must have missed the message commenting this issue and I didn't reply :(

[PavelSusloparov]

I manage AWS credentials with ~/.aws/config file as a specific profile in my local environment.
I use env variables AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY in CI.

terraform-provider-sops fails in CI but works locally.
Fixed CI by adding a one-liner

printf "[terraform]\naws_access_key_id = ${AWS_ACCESS_KEY_ID}\naws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}\n" >> ~/.aws/config

[sfozz]

I also have the same issue when using

sops = {
    source  = "carlpett/sops"
    version = "~> 0.6"
}

If I have a secrets file that was created using a KMS key that allows a role to Encrypt/Decrypt then this the sops terraform provider fails in the same way.

[bryan-rhm]

@sfozz have you configured a .sops.yaml file? it should be located where your encrypted file is