Skip to content

Fix KMS encryption context not being passed when config is pre-loaded #2021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
felixfontein merged 1 commit into from
Dec 16, 2025
Merged

Fix KMS encryption context not being passed when config is pre-loaded #2021

felixfontein merged 1 commit into from
Dec 16, 2025
+30 −1

Conversation

@shearn89
Copy link
Contributor

@shearn89 shearn89 commented Dec 16, 2025

Summary

Fixes #1972

In commit 84c7673, the config loading was refactored to load only once for performance. However, this introduced a bug where the kmsEncryptionContext (from the --encryption-context CLI flag) was not passed to loadConfig() when pre-loading the config.

This caused KMS master keys in the config's KeyGroups to be created without the encryption context, leading to AWS KMS denying requests when the KMS policy requires an encryption context.

Changes

  • cmd/sops/main.go: Parse and pass the kmsEncryptionContext when pre-loading the config in main()
  • config/config_test.go: Add regression test TestKeyGroupsForFileWithExternalEncryptionContext

Test plan

  • Added regression test that verifies encryption context is applied to KMS keys when passed to config loading
  • All existing config tests pass
  • Build succeeds

🤖 Generated with Claude Code

@shearn89 @claude
Fix KMS encryption context not being passed when config is pre-loaded
e50165d 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Alex Shearn <alex.shearn@kraken.tech>
@shearn89 shearn89 force-pushed the fix/kms-encryption-context-1972 branch from 0f2cb2a to e50165d Compare December 16, 2025 11:12
@shearn89 shearn89 marked this pull request as ready for review December 16, 2025 11:13
@shearn89
Copy link
Contributor Author

shearn89 commented Dec 16, 2025

Will try and test locally today.

@shearn89
Copy link
Contributor Author

shearn89 commented Dec 16, 2025
edited
Loading

Testing evidence:

❯ /opt/homebrew/bin/sops --version
sops 3.11.0 (latest)

[warning] Note that in a future version, sops will no longer check whether the current version is the latest when asking for sops' version. If you want to explicitly check for the latest version, add the `--check-for-updates` option to `sops --version`. This will hide this deprecation warning and will always check, even if the default behavior changes in the future.

❯ /opt/homebrew/bin/sops -i -e --encryption-context AppName:argocd values.encrypted.yaml
Could not generate data key: [failed to encrypt new data key with master key "arn:aws:kms:eu-west-2:redacted:alias/shearn89-sandbox-argocd-sops": failed to encrypt sops data key with AWS KMS: operation error KMS: Encrypt, https response error StatusCode: 400, RequestID: uuid, api error AccessDeniedException: User: arn:aws:sts::redacted:assumed-role/redacted/me is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-west-2:redacted:key/redacted with an explicit deny in a resource-based policy]

Errors, file is not encrypted. With local build:

❯ ~/opensource/sops/sops -i -e --encryption-context AppName:argocd values.encrypted.yaml
# no output

❯ cat values.encrypted.yaml
# file is correct

felixfontein
felixfontein approved these changes Dec 16, 2025
View reviewed changes
Copy link
Contributor

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, with this I was able to trace back what 84c7673 broke and the code change should be correct if I'm not mistaken.

@felixfontein felixfontein merged commit b3ee47e into getsops:main Dec 16, 2025
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felixfontein felixfontein felixfontein approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SOPS 3.11 unable to encrypt a file with encryption context on AWS KMS

2 participants

@shearn89 @felixfontein