Skip to content

Commit fa4c077

Browse files
anandavjanandavj
committed
Allow SOPS to use custom AWS KMS and STS Endpoint
Signed-off-by: Ananda Vijaya <[email protected]>
1 parent 2356626 commit fa4c077

File tree

9 files changed

+195
-108
lines changed

9 files changed

+195
-108
lines changed

cmd/sops/main.go

Lines changed: 35 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -528,6 +528,14 @@ func main() {
528528
Name: "aws-profile",
529529
Usage: "The AWS profile to use for requests to AWS",
530530
},
531+
cli.StringFlag{
532+
Name: "aws-kms-endpoint",
533+
Usage: "The AWS KMS Endpoint to use for requests to AWS. Ex: https://kms.ap-southeast-2.amazonaws.com",
534+
},
535+
cli.StringFlag{
536+
Name: "aws-sts-endpoint",
537+
Usage: "The AWS STS Endpoint to use for requests to AWS. Ex: https://sts.ap-southeast-2.amazonaws.com",
538+
},
531539
cli.StringSliceFlag{
532540
Name: "gcp-kms",
533541
Usage: "the GCP KMS Resource ID the new group should contain. Can be specified more than once",
@@ -572,7 +580,7 @@ func main() {
572580
group = append(group, pgp.NewMasterKeyFromFingerprint(fp))
573581
}
574582
for _, arn := range kmsArns {
575-
group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context")), c.String("aws-profile")))
583+
group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context")), c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")))
576584
}
577585
for _, kms := range gcpKmses {
578586
group = append(group, gcpkms.NewMasterKeyFromResourceID(kms))
@@ -890,6 +898,14 @@ func main() {
890898
Name: "aws-profile",
891899
Usage: "The AWS profile to use for requests to AWS",
892900
},
901+
cli.StringFlag{
902+
Name: "aws-kms-endpoint",
903+
Usage: "The AWS KMS Endpoint to use for requests to AWS",
904+
},
905+
cli.StringFlag{
906+
Name: "aws-sts-endpoint",
907+
Usage: "The AWS STS Endpoint to use for requests to AWS",
908+
},
893909
cli.StringFlag{
894910
Name: "gcp-kms",
895911
Usage: "comma separated list of GCP KMS resource IDs",
@@ -1228,6 +1244,14 @@ func main() {
12281244
Name: "aws-profile",
12291245
Usage: "The AWS profile to use for requests to AWS",
12301246
},
1247+
cli.StringFlag{
1248+
Name: "aws-kms-endpoint",
1249+
Usage: "The AWS KMS Endpoint to use for requests to AWS",
1250+
},
1251+
cli.StringFlag{
1252+
Name: "aws-sts-endpoint",
1253+
Usage: "The AWS STS Endpoint to use for requests to AWS",
1254+
},
12311255
cli.StringFlag{
12321256
Name: "gcp-kms",
12331257
Usage: "comma separated list of GCP KMS resource IDs",
@@ -1602,6 +1626,14 @@ func main() {
16021626
Name: "aws-profile",
16031627
Usage: "The AWS profile to use for requests to AWS",
16041628
},
1629+
cli.StringFlag{
1630+
Name: "aws-kms-endpoint",
1631+
Usage: "The AWS KMS Endpoint to use for requests to AWS",
1632+
},
1633+
cli.StringFlag{
1634+
Name: "aws-sts-endpoint",
1635+
Usage: "The AWS STS Endpoint to use for requests to AWS",
1636+
},
16051637
cli.StringFlag{
16061638
Name: "gcp-kms",
16071639
Usage: "comma separated list of GCP KMS resource IDs",
@@ -2085,7 +2117,7 @@ func getEncryptConfig(c *cli.Context, fileName string) (encryptConfig, error) {
20852117

20862118
func getMasterKeys(c *cli.Context, kmsEncryptionContext map[string]*string, kmsOptionName string, pgpOptionName string, gcpKmsOptionName string, azureKvOptionName string, hcVaultTransitOptionName string, ageOptionName string) ([]keys.MasterKey, error) {
20872119
var masterKeys []keys.MasterKey
2088-
for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile")) {
2120+
for _, k := range kms.MasterKeysFromArnString(c.String(kmsOptionName), kmsEncryptionContext, c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")) {
20892121
masterKeys = append(masterKeys, k)
20902122
}
20912123
for _, k := range pgp.MasterKeysFromFingerprintString(c.String(pgpOptionName)) {
@@ -2274,7 +2306,7 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
22742306
return nil, common.NewExitError("Invalid KMS encryption context format", codes.ErrorInvalidKMSEncryptionContextFormat)
22752307
}
22762308
if c.String("kms") != "" {
2277-
for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext, c.String("aws-profile")) {
2309+
for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext, c.String("aws-profile"), c.String("aws-kms-endpoint"), c.String("aws-sts-endpoint")) {
22782310
kmsKeys = append(kmsKeys, k)
22792311
}
22802312
}

config/config.go

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -143,10 +143,12 @@ type gcpKmsKey struct {
143143
}
144144

145145
type kmsKey struct {
146-
Arn string `yaml:"arn"`
147-
Role string `yaml:"role,omitempty"`
148-
Context map[string]*string `yaml:"context"`
149-
AwsProfile string `yaml:"aws_profile"`
146+
Arn string `yaml:"arn"`
147+
Role string `yaml:"role,omitempty"`
148+
Context map[string]*string `yaml:"context"`
149+
AwsProfile string `yaml:"aws_profile"`
150+
AwsKmsEndpoint string `yaml:"aws_kms_endpoint"`
151+
AwsStsEndpoint string `yaml:"aws_sts_endpoint"`
150152
}
151153

152154
type azureKVKey struct {
@@ -173,6 +175,8 @@ type creationRule struct {
173175
PathRegex string `yaml:"path_regex"`
174176
KMS string
175177
AwsProfile string `yaml:"aws_profile"`
178+
AwsKmsEndpoint string `yaml:"aws_kms_endpoint"`
179+
AwsStsEndpoint string `yaml:"aws_sts_endpoint"`
176180
Age string `yaml:"age"`
177181
PGP string
178182
GCPKMS string `yaml:"gcp_kms"`
@@ -261,7 +265,7 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
261265
keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
262266
}
263267
for _, k := range group.KMS {
264-
keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile))
268+
keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile, k.AwsKmsEndpoint, k.AwsStsEndpoint))
265269
}
266270
for _, k := range group.GCPKMS {
267271
keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
@@ -304,7 +308,7 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
304308
for _, k := range pgp.MasterKeysFromFingerprintString(cRule.PGP) {
305309
keyGroup = append(keyGroup, k)
306310
}
307-
for _, k := range kms.MasterKeysFromArnString(cRule.KMS, kmsEncryptionContext, cRule.AwsProfile) {
311+
for _, k := range kms.MasterKeysFromArnString(cRule.KMS, kmsEncryptionContext, cRule.AwsProfile, cRule.AwsKmsEndpoint, cRule.AwsStsEndpoint) {
308312
keyGroup = append(keyGroup, k)
309313
}
310314
for _, k := range gcpkms.MasterKeysFromResourceIDString(cRule.GCPKMS) {

keyservice/keyservice.pb.go

Lines changed: 73 additions & 51 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

keyservice/keyservice.proto

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ message KmsKey {
2222
string role = 2;
2323
map<string, string> context = 3;
2424
string aws_profile = 4;
25+
string aws_kms_endpoint = 5;
26+
string aws_sts_endpoint = 6;
2527
}
2628

2729
message GcpKmsKey {

keyservice/server.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -323,5 +323,7 @@ func kmsKeyToMasterKey(key *KmsKey) kms.MasterKey {
323323
Role: key.Role,
324324
EncryptionContext: ctx,
325325
AwsProfile: key.AwsProfile,
326+
AwsKmsEndpoint: key.AwsKmsEndpoint,
327+
AwsStsEndpoint: key.AwsStsEndpoint,
326328
}
327329
}

0 commit comments

Comments
 (0)