Allow aws profile setting from metadata to be overridden.

When decrypting, sops uses the AWS profile setting stored
in the encrypted file metadata. This is a problem as the
profile can change from user to user.

This change will allow the AWS profile setting to be overridden
by the '--aws-profile' flag and the AWS_PROFILE environment
variable, in that order of precedence. The metadata value is
used as a last resort only.

Author: Leandro Martelli

cmd/sops/common/common.go

@@ -230,6 +230,7 @@ type GenericDecryptOpts struct {
 	IgnoreMAC       bool
 	KeyServices     []keyservice.KeyServiceClient
 	DecryptionOrder []string
+	UseAwsProfile   string
 }
 
 // LoadEncryptedFileWithBugFixes is a wrapper around LoadEncryptedFile which includes
@@ -251,6 +252,22 @@ func LoadEncryptedFileWithBugFixes(opts GenericDecryptOpts) (*sops.Tree, error)
 		}
 	}
 
+	awsProfile := os.Getenv("AWS_PROFILE")
+	if opts.UseAwsProfile != "" {
+		awsProfile = opts.UseAwsProfile
+	}
+
+	if awsProfile != "" {
+		for _, keyGroup := range tree.Metadata.KeyGroups {
+			for _, masterKey := range keyGroup {
+				kmsMasterKey, ok := (masterKey).(*kms.MasterKey)
+				if ok {
+					kmsMasterKey.AwsProfile = awsProfile
+				}
+			}
+		}
+	}
+
 	return tree, nil
 }
 

cmd/sops/decrypt.go

@@ -23,15 +23,17 @@ type decryptOpts struct {
 	Extract         []interface{}
 	KeyServices     []keyservice.KeyServiceClient
 	DecryptionOrder []string
+	UseAwsProfile   string
 }
 
 func decryptTree(opts decryptOpts) (tree *sops.Tree, err error) {
 	tree, err = common.LoadEncryptedFileWithBugFixes(common.GenericDecryptOpts{
-		Cipher:      opts.Cipher,
-		InputStore:  opts.InputStore,
-		InputPath:   opts.InputPath,
-		IgnoreMAC:   opts.IgnoreMAC,
-		KeyServices: opts.KeyServices,
+		Cipher:        opts.Cipher,
+		InputStore:    opts.InputStore,
+		InputPath:     opts.InputPath,
+		IgnoreMAC:     opts.IgnoreMAC,
+		KeyServices:   opts.KeyServices,
+		UseAwsProfile: opts.UseAwsProfile,
 	})
 	if err != nil {
 		return nil, err

cmd/sops/main.go

@@ -743,6 +743,10 @@ func main() {
 					Usage:  "comma separated list of decryption key types",
 					EnvVar: "SOPS_DECRYPTION_ORDER",
 				},
+				cli.StringFlag{
+					Name:  "aws-profile",
+					Usage: "The AWS profile to use for requests to AWS",
+				},
 			}, keyserviceFlags...),
 			Action: func(c *cli.Context) error {
 				if c.Bool("verbose") {
@@ -796,6 +800,7 @@ func main() {
 					KeyServices:     svcs,
 					DecryptionOrder: order,
 					IgnoreMAC:       c.Bool("ignore-mac"),
+					UseAwsProfile:   c.String("aws-profile"),
 				})
 				if err != nil {
 					return toExitError(err)