Skip to content

v3.9.2 fails to decrypt with Azure KeyVaultΒ #1695

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
v3.9.2 fails to decrypt with Azure KeyVault#1695
Labels
area/keyservicekeyservice/azkv
@SlashDashAndCash

Description

@SlashDashAndCash
SlashDashAndCash
opened on Dec 3, 2024

Since v3.9.2 I'm unable to decrypt my data.

./sops-v3.9.2.linux.amd64 -d secrets.sops.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  https://XXXXXXXXXXX.vault.azure.net/keys/sops/0123456789abcdef: FAILED
    - | failed to decrypt sops data key with Azure Key Vault key
      | 'https://XXXXXXXXXXX.vault.azure.net/keys/sops/0123456789abcdef':
      | DefaultAzureCredential: failed to acquire a token.
      | Attempted credentials:
      |         EnvironmentCredential: missing environment variable
      | AZURE_TENANT_ID
      |         WorkloadIdentityCredential: no client ID specified. Check
      | pod configuration or set ClientID in the options
      |         ManagedIdentityCredential: managed identity timed out. See
      | https://aka.ms/azsdk/go/identity/troubleshoot#dac for more
      | information
      |         AzureCLICredential isn't configured to acquire tokens for
      | tenant "ab1234cd-a1b2-c3d4-e5f6-ab1234cda1b2". To enable
      | acquiring tokens for this tenant add it to the
      | AdditionallyAllowedTenants on the credential options, or add
      | "*" to allow acquiring tokens for any tenant

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

v3.9.1 still works as expected.

./sops-v3.9.1.linux.amd64 -d secrets.sops.yaml
secrets:
...

Metadata

Assignees

No one assigned

    Labels

    area/keyservicekeyservice/azkv

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions