Hi folks. My approach to allowing users to create secrets, and then for CI to decrypt and use those secrets, is to allow users to create encrypted files using the sops CLI.

Users are auth'd using AWS SSO with an AWS CLI profile called development.

My creation rules in .sops.yaml look like this:

creation_rules:
    - kms: arn:aws:kms:us-east-1:123456789123:alias/sops-kms-key
      aws_profile: development

So when the encrypted file (say, secrets.yaml) is created, it looks like this:

username: ENC[...]
password: ENC[...]
sops:
    kms:
        - arn: arn:aws:kms:us-east-1:123456789123:alias/sops-kms-key
          created_at: "1970-01-01T00:00:00Z"
          enc: ABCDEF
          aws_profile: development

This is great, but I also need my CI system to decrypt these files. The CI server has an AWS IAM role attached (let's call it CIServerRole) with permissions to access the KMS key. My solution at the moment is to manually add another kms list entry like this:

[...]
sops:
    kms:
        - arn: arn:aws:kms:us-east-1:123456789123:alias/sops-kms-key
          created_at: "1970-01-01T00:00:00Z"
          enc: ABCDEF
          aws_profile: development
+       # Added manually after file has been encrypted.
+       - arn: arn:aws:kms:us-east-1:123456789123:alias/sops-kms-key
+         created_at: "1970-01-01T00:00:00Z"
+         enc: ABCDEF
+         aws_profile: ""
+         role: arn:aws:iam::123456789123:role/CIServerRole

I then commit and push this, and the CI server can happily decrypt the file using that IAM role.

I'd rather avoid having to add this manually, due to the toil and possibility of human error. I'd like the sops CLI to automatically populate this second "use a role, not a profile" entry to the kms list. Is this possible using .sops.yaml?

Thanks, and hugely appreciate the awesome work on SOPS!

Aaron