feat: add Alibaba Cloud (Aliyun) KMS provider#2148
Open
cnCloXie wants to merge 6 commits intogetsops:mainfrom
Open
feat: add Alibaba Cloud (Aliyun) KMS provider#2148cnCloXie wants to merge 6 commits intogetsops:mainfrom
cnCloXie wants to merge 6 commits intogetsops:mainfrom
Conversation
Implements the keys.MasterKey interface for Alibaba Cloud (Aliyun) KMS,
following the same patterns as hckms and gcpkms.
Key features:
- MasterKey with Encrypt/Decrypt via alibabacloud-go/kms-20160120/v3 SDK
- ARN format: acs:kms:{region}:{account-id}:key/{key-id} or alias/{name}
- Region is extracted automatically from the ARN
- Credential chain: env vars (ALIBABA_CLOUD_ACCESS_KEY_ID / SECRET) with
fallback to ~/.aliyun/config.json, supporting AK, StsToken and CloudSSO
profile modes (profile selected via ALIBABA_CLOUD_PROFILE env var)
- Unit tests covering ARN parsing, key construction, rotation, and serialization
I need to use Alibaba Cloud KMS to encrypt secrets managed by sops in my
infrastructure. This adds first-class support for the Aliyun KMS service,
consistent with the existing AWS KMS, GCP KMS and Azure Key Vault providers.
Signed-off-by: Clovis Xie <clovis.xie@lego.com>
Add AcsKmsKey and Key_AcsKmsKey types for local keyservice dispatch, implementing the isKey_KeyType() interface without modifying the protobuf-generated file. The local client handles encrypt/decrypt for *acskms.MasterKey directly, consistent with how other KMS providers work. Also adds encryptWithAcsKms/decryptWithAcsKms helpers in server.go and a case in KeyFromMasterKey for *acskms.MasterKey. Signed-off-by: Clovis Xie <clovis.xie@lego.com>
stores/stores.go: - Add acskmskey struct with arn/created_at/enc fields - Add ACSKMSKeys field to Metadata and keygroup structs - Add acskmsKeysFromGroup() and toInternal() serialization helpers - Handle acs_kms keys in internalGroupFrom() config/config.go: - Add acs_kms creation rule field parsed from .sops.yaml - Add GetACSKMSKeys() to return MasterKeys for a creationRule - Wire into extractMasterKeys() and getKeyGroupsFromCreationRule() Signed-off-by: Clovis Xie <clovis.xie@lego.com>
Add three new flags alongside the existing --hc-vault-transit / --gcp-kms flags pattern: --acs-kms comma-separated list of Alibaba Cloud KMS ARNs (encrypt/edit) --add-acs-kms add KMS ARNs to an existing encrypted file --rm-acs-kms remove KMS ARNs from an existing encrypted file Wire into getMasterKeys() and keyGroups() to build the proper MasterKey slice. Signed-off-by: Clovis Xie <clovis.xie@lego.com>
Required by the new acskms provider package. Signed-off-by: Clovis Xie <clovis.xie@lego.com>
Document the new acs_kms provider including: - Supported credential methods and resolution order - KMS key ARN format - Encrypt/decrypt usage examples - .sops.yaml configuration example - Updated 'Adding and removing keys' section to mention --acs-kms flag Signed-off-by: Clovis Xie <clovis.xie@lego.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Thank you for building and maintaining sops — it has become an essential tool in our infrastructure for managing secrets safely alongside GitOps workflows.
Motivation
We use sops extensively to encrypt Kubernetes secrets and configuration files committed to Git. Our infrastructure runs on Alibaba Cloud (Aliyun), and we use Alibaba Cloud KMS to manage encryption keys. While sops already supports AWS KMS, GCP KMS, Azure Key Vault, and HuaweiCloud KMS, there is currently no native support for Alibaba Cloud KMS. This gap means teams on Alibaba Cloud either have to maintain a custom fork or fall back to less integrated solutions.
This PR adds a first-class
acs_kmsprovider so that Alibaba Cloud users can use sops the same way as other cloud KMS users.What this PR does
acskmspackage implementing thekeys.MasterKeyinterface for Alibaba Cloud KMSacs:kms:{region}:{account-id}:key/{key-id}andalias/{name}ALIBABA_CLOUD_ACCESS_KEY_ID/ALIBABA_CLOUD_ACCESS_KEY_SECRET(with optionalALIBABA_CLOUD_ACCESS_KEY_STS_TOKEN)~/.aliyun/config.json), supportingAK,StsToken, andCloudSSOprofile types, selected viaALIBABA_CLOUD_PROFILEenv varstores,config, andkeyservicelayers--acs-kms,--add-acs-kms,--rm-acs-kmsCLI flagsacs_kmssupport in.sops.yamlcreation rulesNotes for maintainers
github.com/alibabacloud-go/kms-20160120/v3keyservice.protoby definingAcsKmsKeyandKey_AcsKmsKeyas plain Go types in the same package implementing the unexportedisKey_KeyType()interface (consistent with the approach used for other non-proto providers). If you prefer a proper proto change, happy to update.Related
This fills the same role as
--gcp-kms,--azure-kv, and--hckmsfor Alibaba Cloud users.