The Azure Key Vault integration tries several authentication methods, in this order:
Client credentials
Client Certificate
Username Password
MSI
Azure CLI auth
You can force a specific authentication method through the AZURE_AUTH_METHOD environment variable, which may be one of: clientcredentials, clientcertificate, usernamepassword, msi, or cli (default).
For example, you can use service principals with the following environment variables:
AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
You can create a service principal using the cli like this:
$ az ad sp create-for-rbac -n my-keyvault-sp
{
"appId": "<some-uuid>",
"displayName": "my-keyvault-sp",
"name": "http://my-keyvault-sp",
"password": "<some-uuid>",
"tenant": "<tenant-id>"
}The appId is the client id, and the password is the client secret.
Encrypting/decrypting with Azure Key Vault requires the resource identifier for a key. This has the following form:
https://${VAULT_URL}/keys/${KEY_NAME}/${KEY_VERSION}
To create a Key Vault and assign your service principal permissions on it from the commandline:
$ az group create --name sops-rg --location westeurope$ keyvault_name=sops-$(uuidgen | tr -d - | head -c 16)$ az keyvault create --name $keyvault_name --resource-group sops-rg --location westeurope
$ az keyvault key create --name sops-key --vault-name $keyvault_name --protection software --ops encrypt decrypt
$ az keyvault set-policy --name $keyvault_name --resource-group sops-rg --spn $AZURE_CLIENT_ID \
--key-permissions encrypt decrypt$ az keyvault key show --name sops-key --vault-name $keyvault_name --query key.kidhttps://sops.vault.azure.net/keys/sops-key/some-string Now you can encrypt a file using:
$ sops --encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yamlAnd decrypt it using:
$ sops --decrypt test.enc.yaml