SOPS 3.11 unable to encrypt a file with encryption context on AWS KMS #1972
Description
I have a KMS key set up with an alias, and a policy that requires an encryption context. Using 3.11.0, I'm unable to encrypt a fresh file:
❯ sops --verbose -i -e --encryption-context AppName:vantage values.encrypted.yaml
[AWSKMS] INFO[0000] Encryption failed arn="arn:aws:kms:eu-west-2:123412341234:alias/shearn89-sandbox-myapp-sops"
Could not generate data key: [failed to encrypt new data key with master key "arn:aws:kms:eu-west-2:123412341234:alias/shearn89-sandbox-myapp-sops": failed to encrypt sops data key with AWS KMS: operation error KMS: Encrypt, https response error StatusCode: 400, RequestID: guid, api error AccessDeniedException: User: arn:aws:iam::123412341234:user/alex.shearn is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-west-2:123412341234:key/key-guid with an explicit deny in a resource-based policy]
If I remove the context statement, it works. If I downgrade to 3.10.2, it also works...
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Delegate access to IAM",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123412341234:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Explicitly require encryption context for enc/decrypt operations, overriding IAM",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"kms:EncryptionContext:AppName": "myapp"
}
}
}
]
}