Skip to content

Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition #1478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 3, 2025
Merged

Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition #1478

merged 1 commit into from
Jul 3, 2025

Conversation

@matheuscscp
Copy link
Member

@matheuscscp matheuscscp commented Jul 3, 2025

Fixes #1477

In kustomize-controller 1.6.0 a new logic was introduced for getting the AWS region from the KMS key ARN that did not account for the aws-us-gov and aws-cn ARN partitions. This logic would produce errors like the one below, where arn is mistakenly used as the region extracted by GetRegionFromKMSARN() in the STS endpoint:

STS: AssumeRoleWithWebIdentity, https response error\n   StatusCode: 0, RequestID:
, request send failed, Post\n \"https://sts.arn.amazonaws.com/\": dial tcp:
lookupts.arn.amazonaws.com on 10.100.0.10:53: no such host

The endpoint comes out as https://sts.arn.amazonaws.com/, when it should be something like https://sts.us-gov-west-1.amazonaws.com/.

This PR fixes the issue by using the same regex that SOPS uses for extracting the region.

@matheuscscp matheuscscp added bug Something isn't working backport:release/v1.6.x To be backported to release/v1.6.x labels Jul 3, 2025
@matheuscscp matheuscscp changed the title Fix regression in STS endpoint for SOPS decryption with AWS KMS Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition Jul 3, 2025
stealthybox
stealthybox approved these changes Jul 3, 2025
View reviewed changes
Copy link
Member

@stealthybox stealthybox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commented some nits, but overall LGTM

internal/sops/awskms/region.go
//
// ref:
// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
const arnPattern = `^arn:aws[\w-]*:kms:(.+):[0-9]+:(key|alias)/.+$`
Copy link
Member

@stealthybox stealthybox Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

matching KMS as a service name here also validates the ARN

Partition name is enforced to have an aws* prefix which supports all of the current documented partitions

Notably, we could get the region with SplitN : 4, but matching the sops behavior also makes sense

Copy link
Member Author

@matheuscscp matheuscscp Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah for this fix I'd like to just match SOPS, we can rethink this down the line

@matheuscscp matheuscscp merged commit a342d00 into main Jul 3, 2025
5 checks passed
@matheuscscp matheuscscp deleted the fix-1477 branch July 3, 2025 16:53
@fluxcdbot
Copy link
Member

fluxcdbot commented Jul 3, 2025

Successfully created backport PR for release/v1.6.x:

@fluxcdbot fluxcdbot mentioned this pull request Jul 3, 2025
Merged
@matheuscscp matheuscscp mentioned this pull request Jul 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stealthybox stealthybox stealthybox approved these changes

Assignees

No one assigned

Labels

backport:release/v1.6.x To be backported to release/v1.6.x bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Wrong STS endpoint for US Gov AWS regions in kustomize-controller 1.6.0

4 participants

@matheuscscp @fluxcdbot @stealthybox