diff --git a/README.rst b/README.rst index 637df9b0a..239a5ac4b 100644 --- a/README.rst +++ b/README.rst @@ -344,7 +344,7 @@ If you want to use a specific profile, you can do so with `aws_profile`: sops: kms: - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - aws_profile: foo + aws_profile: foo If no AWS profile is set, default credentials will be used. @@ -471,7 +471,7 @@ Let's take an example: * file named **something.dev.yaml** should use one set of KMS A * file named **something.prod.yaml** should use another set of KMS B * other files use a third set of KMS C -* all live under **mysecretrepo/something.{dev,prod}.yaml** +* all live under **mysecretrepo/something.{dev,prod,gcp}.yaml** Under those circumstances, a file placed at **mysecretrepo/.sops.yaml** can manage the three sets of configurations for the three types of files: @@ -505,7 +505,33 @@ When creating any file under **mysecretrepo**, whether at the root or under a subdirectory, sops will recursively look for a ``.sops.yaml`` file. If one is found, the filename of the file being created is compared with the filename regexes of the configuration file. The first regex that matches is selected, -and its KMS and PGP keys are used to encrypt the file. +and its KMS and PGP keys are used to encrypt the file. It should be noted that +the looking up of ``.sops.yaml`` is from the working directory (CWD) instead of +the directory of the encrypting file (see `Issue 242 `_). + +The path_regex checks the full path of the encrypting file. Here is another example: + +* files located under directory **development** should use one set of KMS A +* files located under directory **production** should use another set of KMS B +* other files use a third set of KMS C + +.. code:: yaml + + creation_rules: + # upon creation of a file under development, + # KMS set A is used + - path_regex: .*/development/.* + kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' + pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A' + + # prod files use KMS set B in the PROD IAM + - path_regex: .*/production/.* + kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' + pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A' + + # other files use KMS set C + - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' + pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A' Creating a new file with the right keys is now as simple as diff --git a/cmd/sops/main.go b/cmd/sops/main.go index c426a7fa3..edaa6e49e 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -6,6 +6,7 @@ import ( "net" "net/url" "os" + "path/filepath" "reflect" "strconv" "strings" @@ -430,7 +431,10 @@ func main() { if c.Bool("in-place") && c.String("output") != "" { return common.NewExitError("Error: cannot operate on both --output and --in-place", codes.ErrorConflictingParameters) } - fileName := c.Args()[0] + fileName, err := filepath.Abs(c.Args()[0]) + if err != nil { + return toExitError(err) + } if _, err := os.Stat(fileName); os.IsNotExist(err) { if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-azure-kv") != "" || c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-azure-kv") != "" {