Revert "AWS Profile"

README.rst

@@ -326,23 +326,6 @@ When removing keys, it is recommended to rotate the data key using ``-r``,
 otherwise owners of the removed key may have add access to the data key in the
 past.
 
-KMS AWS Profiles
-~~~~~~~~~~~~~~~~
-
-If you want to use a specific profile, you can do so with `aws_profile`:
-
-.. code:: yaml
-
-	sops:
-	    kms:
-	    -	arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e
-            aws_profile: foo
-
-If no AWS profile is set, default credentials will be used.
-
-Similarly the `--aws-profile` flag can be set with the command line with any of the KMS commands.
-
-
 Assuming roles and using KMS in various AWS accounts
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

cmd/sops/main.go

@@ -161,10 +161,6 @@ func main() {
 							Name:  "kms",
 							Usage: "the KMS ARNs the new group should contain. Can be specified more than once",
 						},
-						cli.StringFlag{
-							Name:  "aws-profile",
-							Usage: "The AWS profile to use for requests to AWS",
-						},
 						cli.StringSliceFlag{
 							Name:  "gcp-kms",
 							Usage: "the GCP KMS Resource ID the new group should contain. Can be specified more than once",
@@ -196,7 +192,7 @@ func main() {
 							group = append(group, pgp.NewMasterKeyFromFingerprint(fp))
 						}
 						for _, arn := range kmsArns {
-							group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context")), c.String("aws-profile")))
+							group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context"))))
 						}
 						for _, kms := range gcpKmses {
 							group = append(group, gcpkms.NewMasterKeyFromResourceID(kms))
@@ -309,10 +305,6 @@ func main() {
 			Usage:  "comma separated list of KMS ARNs",
 			EnvVar: "SOPS_KMS_ARN",
 		},
-		cli.StringFlag{
-			Name:  "aws-profile",
-			Usage: "The AWS profile to use for requests to AWS",
-		},
 		cli.StringFlag{
 			Name:   "gcp-kms",
 			Usage:  "comma separated list of GCP KMS resource IDs",
@@ -510,7 +502,7 @@ func main() {
 		if c.Bool("rotate") {
 			var addMasterKeys []keys.MasterKey
 			kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
-			for _, k := range kms.MasterKeysFromArnString(c.String("add-kms"), kmsEncryptionContext, c.String("aws-profile")) {
+			for _, k := range kms.MasterKeysFromArnString(c.String("add-kms"), kmsEncryptionContext) {
 				addMasterKeys = append(addMasterKeys, k)
 			}
 			for _, k := range pgp.MasterKeysFromFingerprintString(c.String("add-pgp")) {
@@ -528,7 +520,7 @@ func main() {
 			}
 
 			var rmMasterKeys []keys.MasterKey
-			for _, k := range kms.MasterKeysFromArnString(c.String("rm-kms"), kmsEncryptionContext, c.String("aws-profile")) {
+			for _, k := range kms.MasterKeysFromArnString(c.String("rm-kms"), kmsEncryptionContext) {
 				rmMasterKeys = append(rmMasterKeys, k)
 			}
 			for _, k := range pgp.MasterKeysFromFingerprintString(c.String("rm-pgp")) {
@@ -762,7 +754,7 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
 		return nil, common.NewExitError("Invalid KMS encryption context format", codes.ErrorInvalidKMSEncryptionContextFormat)
 	}
 	if c.String("kms") != "" {
-		for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext, c.String("aws-profile")) {
+		for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext) {
 			kmsKeys = append(kmsKeys, k)
 		}
 	}

config/config.go

@@ -75,10 +75,9 @@ type gcpKmsKey struct {
 }
 
 type kmsKey struct {
-	Arn        string             `yaml:"arn"`
-	Role       string             `yaml:"role,omitempty"`
-	Context    map[string]*string `yaml:"context"`
-	AwsProfile string             `yaml:"aws_profile"`
+	Arn     string             `yaml:"arn"`
+	Role    string             `yaml:"role,omitempty"`
+	Context map[string]*string `yaml:"context"`
 }
 
 type azureKVKey struct {
@@ -91,7 +90,6 @@ type creationRule struct {
 	FilenameRegex     string `yaml:"filename_regex"`
 	PathRegex         string `yaml:"path_regex"`
 	KMS               string
-	AwsProfile        string `yaml:"aws_profile"`
 	PGP               string
 	GCPKMS            string     `yaml:"gcp_kms"`
 	AzureKeyVault     string     `yaml:"azure_keyvault"`
@@ -177,7 +175,7 @@ func loadForFileFromBytes(confBytes []byte, filePath string, kmsEncryptionContex
 		for _, k := range pgp.MasterKeysFromFingerprintString(rule.PGP) {
 			keyGroup = append(keyGroup, k)
 		}
-		for _, k := range kms.MasterKeysFromArnString(rule.KMS, kmsEncryptionContext, rule.AwsProfile) {
+		for _, k := range kms.MasterKeysFromArnString(rule.KMS, kmsEncryptionContext) {
 			keyGroup = append(keyGroup, k)
 		}
 		for _, k := range gcpkms.MasterKeysFromResourceIDString(rule.GCPKMS) {

keyservice/keyservice.go

@@ -41,10 +41,9 @@ func KeyFromMasterKey(mk keys.MasterKey) Key {
 		return Key{
 			KeyType: &Key_KmsKey{
 				KmsKey: &KmsKey{
-					Arn:        mk.Arn,
-					Role:       mk.Role,
-					Context:    ctx,
-					AwsProfile: mk.AwsProfile,
+					Arn:     mk.Arn,
+					Role:    mk.Role,
+					Context: ctx,
 				},
 			},
 		}

keyservice/keyservice.pb.go

@@ -240,10 +240,9 @@ func (m *PgpKey) GetFingerprint() string {
 }
 
 type KmsKey struct {
-	Arn        string            `protobuf:"bytes,1,opt,name=arn" json:"arn,omitempty"`
-	Role       string            `protobuf:"bytes,2,opt,name=role" json:"role,omitempty"`
-	Context    map[string]string `protobuf:"bytes,3,rep,name=context" json:"context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
-	AwsProfile string            `protobuf:"bytes,4,opt,name=aws_profile" json:"aws_profile,omitempty"`
+	Arn     string            `protobuf:"bytes,1,opt,name=arn" json:"arn,omitempty"`
+	Role    string            `protobuf:"bytes,2,opt,name=role" json:"role,omitempty"`
+	Context map[string]string `protobuf:"bytes,3,rep,name=context" json:"context,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 }
 
 func (m *KmsKey) Reset()                    { *m = KmsKey{} }

keyservice/server.go

@@ -37,7 +37,6 @@ func (ks *Server) encryptWithKms(key *KmsKey, plaintext []byte) ([]byte, error)
 		Arn:               key.Arn,
 		Role:              key.Role,
 		EncryptionContext: ctx,
-		AwsProfile:        key.AwsProfile,
 	}
 	err := kmsKey.Encrypt(plaintext)
 	if err != nil {
@@ -86,7 +85,6 @@ func (ks *Server) decryptWithKms(key *KmsKey, ciphertext []byte) ([]byte, error)
 		Arn:               key.Arn,
 		Role:              key.Role,
 		EncryptionContext: ctx,
-		AwsProfile:        key.AwsProfile,
 	}
 	kmsKey.EncryptedKey = string(ciphertext)
 	plaintext, err := kmsKey.Decrypt()

kms/keysource.go

@@ -42,7 +42,6 @@ type MasterKey struct {
 	EncryptedKey      string
 	CreationDate      time.Time
 	EncryptionContext map[string]*string
-	AwsProfile        string
 }
 
 // EncryptedDataKey returns the encrypted data key this master key holds
@@ -132,7 +131,7 @@ func NewMasterKey(arn string, role string, context map[string]*string) *MasterKe
 }
 
 // NewMasterKeyFromArn takes an ARN string and returns a new MasterKey for that ARN
-func NewMasterKeyFromArn(arn string, context map[string]*string, awsProfile string) *MasterKey {
+func NewMasterKeyFromArn(arn string, context map[string]*string) *MasterKey {
 	k := &MasterKey{}
 	arn = strings.Replace(arn, " ", "", -1)
 	roleIndex := strings.Index(arn, "+arn:aws:iam::")
@@ -144,18 +143,17 @@ func NewMasterKeyFromArn(arn string, context map[string]*string, awsProfile stri
 	}
 	k.EncryptionContext = context
 	k.CreationDate = time.Now().UTC()
-	k.AwsProfile = awsProfile
 	return k
 }
 
 // MasterKeysFromArnString takes a comma separated list of AWS KMS ARNs and returns a slice of new MasterKeys for those ARNs
-func MasterKeysFromArnString(arn string, context map[string]*string, awsProfile string) []*MasterKey {
+func MasterKeysFromArnString(arn string, context map[string]*string) []*MasterKey {
 	var keys []*MasterKey
 	if arn == "" {
 		return keys
 	}
 	for _, s := range strings.Split(arn, ",") {
-		keys = append(keys, NewMasterKeyFromArn(s, context, awsProfile))
+		keys = append(keys, NewMasterKeyFromArn(s, context))
 	}
 	return keys
 }
@@ -187,7 +185,7 @@ func (key MasterKey) createSession() (*session.Session, error) {
 	if matches == nil {
 		return nil, fmt.Errorf("No valid ARN found in %q", key.Arn)
 	}
-	config := aws.Config{Region: aws.String(matches[1]), Credentials: credentials.NewSharedCredentials("", key.AwsProfile)}
+	config := aws.Config{Region: aws.String(matches[1])}
 	opts := session.Options{
 		Config:                  config,
 		AssumeRoleTokenProvider: stscreds.StdinTokenProvider,

kms/keysource_test.go

@@ -48,7 +48,7 @@ func TestKMS(t *testing.T) {
 
 func TestKMSKeySourceFromString(t *testing.T) {
 	s := "arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e+arn:aws:iam::927034868273:role/sops-dev, arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d"
-	ks := MasterKeysFromArnString(s, nil, "foo")
+	ks := MasterKeysFromArnString(s, nil)
 	k1 := ks[0]
 	k2 := ks[1]
 	expectedArn1 := "arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e"

stores/stores.go

@@ -67,7 +67,6 @@ type kmskey struct {
 	Context          map[string]*string `yaml:"context,omitempty" json:"context,omitempty"`
 	CreatedAt        string             `yaml:"created_at" json:"created_at"`
 	EncryptedDataKey string             `yaml:"enc" json:"enc"`
-	AwsProfile       string             `yaml:"aws_profile" json:"aws_profile"`
 }
 
 type gcpkmskey struct {
@@ -136,7 +135,6 @@ func kmsKeysFromGroup(group sops.KeyGroup) (keys []kmskey) {
 				EncryptedDataKey: key.EncryptedKey,
 				Context:          key.EncryptionContext,
 				Role:             key.Role,
-				AwsProfile:       key.AwsProfile,
 			})
 		}
 	}
@@ -267,7 +265,6 @@ func (kmsKey *kmskey) toInternal() (*kms.MasterKey, error) {
 		EncryptedKey:      kmsKey.EncryptedDataKey,
 		CreationDate:      creationDate,
 		Arn:               kmsKey.Arn,
-		AwsProfile:        kmsKey.AwsProfile,
 	}, nil
 }