I'm trying to create a secrets.json file that can be checked into git. I want for my entire team to be able to add / encrypt a value to the secrets file, but not decrypt a value. We're using Google Cloud to manage access to the encryption key. When I give the Cloud KMS CryptoKey Encrypter
permission, and run the following command, I get the following error:
sops --set '["app2"]["key"] "app2keystringvalue"' secrets.enc.json
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
projects/example-project/locations/global/keyRings/example/cryptoKeys/sops-key: FAILED
- | Error decrypting key: googleapi: Error 403: Permission
| 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource
| 'projects/example-project/locations/global/keyRings/example/cryptoKeys/sops-key'
| (or it may not exist)., forbidden
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
When I add the Cloud KMS CryptoKey Decrypter
permission, everything seems to work fine.
Is there a way that I can allow people to add things to the file, without requiring that they have permission to decrypt the entire file?
The answer is that this isn't possible. SOPS requires the ability to decrypt the file with every update to the file, to ensure that there is no tampering with the file.
This is unfortunate, as it makes the system very brittle for allowing people to add add secrets and check the file in, but this is how it works.