This is a preview of a Pull Request for SOPS documentation. The documentation for the latest SOPS release can be found on getsops.io.
STACKIT KMS
You can use STACKIT’s KMS to encrypt data.
Encrypting using STACKIT KMS
The STACKIT KMS integration uses the STACKIT SDK for Go default credential provider chain which tries several authentication methods, in this order:
- Static token or key flow credentials
- Environment variable
STACKIT_SERVICE_ACCOUNT_TOKEN - Credentials file at
~/.stackit/credentials.json - Token flow via service account key
For more details, see the STACKIT KMS documentation.
STACKIT KMS uses a resource ID in the format
projects/<projectId>/regions/<regionId>/keyRings/<keyRingId>/keys/<keyId>/versions/<versionNumber>.
You can list your KMS keys using the STACKIT CLI:
stackit kms key-ring list --project-id PROJECT_ID --region eu01
stackit kms key list --project-id PROJECT_ID --region eu01 --key-ring-id KEYRING_ID
stackit kms key version list --project-id PROJECT_ID --region eu01 --key-ring-id KEYRING_ID --key-id KEY_ID
Now you can encrypt a file using:
$ sops encrypt --stackit-kms projects/my-project-id/regions/eu01/keyRings/aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb/keys/cccccccc-4444-5555-6666-dddddddddddd/versions/1 test.yaml > test.enc.yaml
Or using the environment variable:
$ export SOPS_STACKIT_KMS_IDS="projects/my-project-id/regions/eu01/keyRings/aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb/keys/cccccccc-4444-5555-6666-dddddddddddd/versions/1"
$ sops encrypt test.yaml > test.enc.yaml
And decrypt it using:
$ sops decrypt test.enc.yaml
You can also configure STACKIT KMS keys in the .sops.yaml config file:
creation_rules:
- path_regex: \.stackit\.yaml$
stackit_kms: projects/my-project-id/regions/eu01/keyRings/aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb/keys/cccccccc-4444-5555-6666-dddddddddddd/versions/1