Add YC KMS provider support

cmd/sops/main.go

@@ -42,6 +42,7 @@ import (
 	"github.com/getsops/sops/v3/stores/dotenv"
 	"github.com/getsops/sops/v3/stores/json"
 	"github.com/getsops/sops/v3/version"
+	"github.com/getsops/sops/v3/yckms"
 )
 
 var log *logrus.Logger
@@ -505,6 +506,10 @@ func main() {
 							Name:  "gcp-kms",
 							Usage: "the GCP KMS Resource ID the new group should contain. Can be specified more than once",
 						},
+						cli.StringSliceFlag{
+							Name:  "yc-kms",
+							Usage: "the YC KMS Key ID the new group should contain. Can be specified more than once",
+						},
 						cli.StringSliceFlag{
 							Name:  "azure-kv",
 							Usage: "the Azure Key Vault key URL the new group should contain. Can be specified more than once",
@@ -534,6 +539,7 @@ func main() {
 						pgpFps := c.StringSlice("pgp")
 						kmsArns := c.StringSlice("kms")
 						gcpKmses := c.StringSlice("gcp-kms")
+						ycKmses := c.StringSlice("yc-kms")
 						vaultURIs := c.StringSlice("hc-vault-transit")
 						azkvs := c.StringSlice("azure-kv")
 						ageRecipients := c.StringSlice("age")
@@ -550,6 +556,9 @@ func main() {
 						for _, kms := range gcpKmses {
 							group = append(group, gcpkms.NewMasterKeyFromResourceID(kms))
 						}
+						for _, kms := range ycKmses {
+							group = append(group, yckms.NewMasterKeyFromKeyID(kms))
+						}
 						for _, uri := range vaultURIs {
 							k, err := hcvault.NewMasterKeyFromURI(uri)
 							if err != nil {
@@ -2177,6 +2186,7 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
 	var kmsKeys []keys.MasterKey
 	var pgpKeys []keys.MasterKey
 	var cloudKmsKeys []keys.MasterKey
+	var ycKmsKeys []keys.MasterKey
 	var azkvKeys []keys.MasterKey
 	var hcVaultMkKeys []keys.MasterKey
 	var ageMasterKeys []keys.MasterKey
@@ -2194,6 +2204,11 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
 			cloudKmsKeys = append(cloudKmsKeys, k)
 		}
 	}
+	if c.String("yc-kms") != "" {
+		for _, k := range yckms.NewMasterKeyFromKeyIDString(c.String("yc-kms")) {
+			ycKmsKeys = append(ycKmsKeys, k)
+		}
+	}
 	if c.String("azure-kv") != "" {
 		azureKeys, err := azkv.MasterKeysFromURLs(c.String("azure-kv"))
 		if err != nil {

config/config.go

@@ -19,6 +19,7 @@ import (
 	"github.com/getsops/sops/v3/kms"
 	"github.com/getsops/sops/v3/pgp"
 	"github.com/getsops/sops/v3/publish"
+	"github.com/getsops/sops/v3/yckms"
 	"gopkg.in/yaml.v3"
 )
 
@@ -89,6 +90,7 @@ type keyGroup struct {
 	Merge   []keyGroup
 	KMS     []kmsKey
 	GCPKMS  []gcpKmsKey  `yaml:"gcp_kms"`
+	YCKMS   []ycKmsKey   `yaml:"yc_kms"`
 	AzureKV []azureKVKey `yaml:"azure_keyvault"`
 	Vault   []string     `yaml:"hc_vault"`
 	Age     []string     `yaml:"age"`
@@ -99,6 +101,10 @@ type gcpKmsKey struct {
 	ResourceID string `yaml:"resource_id"`
 }
 
+type ycKmsKey struct {
+	KeyID string `yaml:"key_id"`
+}
+
 type kmsKey struct {
 	Arn        string             `yaml:"arn"`
 	Role       string             `yaml:"role,omitempty"`
@@ -133,6 +139,7 @@ type creationRule struct {
 	Age                     string `yaml:"age"`
 	PGP                     string
 	GCPKMS                  string     `yaml:"gcp_kms"`
+	YCKMS                   string     `yaml:"yc_kms"`
 	AzureKeyVault           string     `yaml:"azure_keyvault"`
 	VaultURI                string     `yaml:"hc_vault_transit_uri"`
 	KeyGroups               []keyGroup `yaml:"key_groups"`
@@ -223,7 +230,10 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
 	for _, k := range group.GCPKMS {
 		keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
 	}
-	for _, k := range group.AzureKV {
+	for _, k := range group.YCKMS {
+				keyGroup = append(keyGroup, yckms.NewMasterKeyFromKeyID(k.KeyID))
+			}
+			for _, k := range group.AzureKV {
 		keyGroup = append(keyGroup, azkv.NewMasterKey(k.VaultURL, k.Key, k.Version))
 	}
 	for _, k := range group.Vault {
@@ -267,6 +277,9 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 		for _, k := range gcpkms.MasterKeysFromResourceIDString(cRule.GCPKMS) {
 			keyGroup = append(keyGroup, k)
 		}
+		for _, k := range yckms.NewMasterKeyFromKeyIDString(cRule.YCKMS) {
+			keyGroup = append(keyGroup, k)
+		}
 		azureKeys, err := azkv.MasterKeysFromURLs(cRule.AzureKeyVault)
 		if err != nil {
 			return nil, err

go.mod

@@ -1,6 +1,6 @@
 module github.com/getsops/sops/v3
 
-go 1.22
+go 1.22.7
 
 toolchain go1.22.9
 
@@ -35,6 +35,8 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.10.0
 	github.com/urfave/cli v1.22.16
+	github.com/yandex-cloud/go-genproto v0.0.0-20241220122821-aeb3b05efd1c
+	github.com/yandex-cloud/go-sdk v0.0.0-20241220131134-2393e243c134
 	golang.org/x/net v0.33.0
 	golang.org/x/sys v0.28.0
 	golang.org/x/term v0.27.0
@@ -93,11 +95,13 @@ require (
 	github.com/envoyproxy/go-control-plane v0.13.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect