From 59adef5bcccb41d428d565f222abe772ed1535c7 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Fri, 20 Nov 2020 15:26:10 +0200 Subject: [PATCH] Add AWS IAM role example to SOPS docs Signed-off-by: Stefan Prodan --- docs/guides/mozilla-sops.md | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/docs/guides/mozilla-sops.md b/docs/guides/mozilla-sops.md index 68f3b12d..e9b8aa67 100644 --- a/docs/guides/mozilla-sops.md +++ b/docs/guides/mozilla-sops.md @@ -101,13 +101,36 @@ flux create kustomization my-secrets \ Note that the `sops-gpg` can contain more than one key, sops will try to decrypt the secrets by iterating over all the private keys until it finds one that works. -!!! hint KMS - When using AWS/GCP KMS, you'll have to bind an IAM Role - with read access to the KMS keys to the `default` service account of the - `flux-system` namespace for kustomize-controller to be able to fetch - keys from KMS. When using Azure Key Vault you need to authenticate the kustomize controller either by passing - [Service Principal credentials as environment variables](https://github.com/mozilla/sops#encrypting-using-azure-key-vault) - or with [add-pod-identity](https://github.com/Azure/aad-pod-identity). +### AWS/Azure/GCP + +When using AWS/GCP KMS, you'll have to bind an IAM Role with access to the KMS +keys to the `default` service account of the `flux-system` namespace for +kustomize-controller to be able to fetch keys from KMS. + +AWS IAM Role example: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Effect": "Allow", + "Resource": "arn:aws:kms:eu-west-1:XXXXX209540:key/4f581f5b-7f78-45e9-a543-83a7022e8105" + } + ] +} +``` + +When using Azure Key Vault you need to authenticate the kustomize controller either by passing +[Service Principal credentials as environment variables](https://github.com/mozilla/sops#encrypting-using-azure-key-vault) +or with [add-pod-identity](https://github.com/Azure/aad-pod-identity). ## GitOps workflow