sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Sops not work with GCP, I got timeout.

Open spidemen2 opened this issue 1 year ago • 3 comments

| failed to decrypt sops data key with GCP KMS key: context | deadline exceeded

I did login GCP and still cannot make it work

It always timeout with vpn or without vpn.

spidemen2 avatar Jul 31 '24 03:07 spidemen2

seeing this as well, on sops 3.9.1 with GCP KMS curiously in our case, disabling VPN (tailscale) makes sops succeed. 3.9.0 works in both cases.

example output:

➜ sops --verbose -d test.enc.yaml   
[GCPKMS]         INFO[0060] Decryption failed                             resourceID=[redacted]
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  [redacted]: FAILED
    - | failed to decrypt sops data key with GCP KMS key: context
      | deadline exceeded

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

joshbrand avatar Nov 06 '24 20:11 joshbrand

I also ran into the same behavior with a GCP KMS key. Seems a bit odd that a VPN changes the way sops works?

smelchior avatar Nov 22 '24 10:11 smelchior

seems to be fixed with 3.9.2!

joshbrand avatar Dec 12 '24 18:12 joshbrand

I ran into this issue with SOPS 3.10.2. It took me a while to find out how to enable any sort of debugging output but eventually these two did the trick.

export GRPC_GO_LOG_SEVERITY_LEVEL=99
export GRPC_GO_LOG_SEVERITY_LEVEL=info

In my case, our corporate VPN isn't generating the ALPN X.509 extension. As suggested in https://github.com/grpc/grpc-go/issues/434 I've disabled the check to see what will happen.

export GRPC_ENFORCE_ALPN_ENABLED=false

And I ran into a cryptic error: "error reading server preface: http2: frame too large". As I've learnt from https://github.com/grpc/grpc-go/issues/6826, this means that I'm behind a transparent proxy that doesn't speak HTTP/2 which is a must-have for gRPC. Bummer. Hope this helps others pinpoint the problem with their VPNs.

I believe that fixing this in SOPS would require adding an option to use the REST API of Google Cloud KMS. While technically feasible, I doubt the maintainers would be happy about that.

HauserV avatar Jul 12 '25 22:07 HauserV

This issue is a serious concern for us, so we have prepared the following. We hope it will be appropriately incorporated. https://github.com/getsops/sops/pull/1973

putsuka avatar Oct 15 '25 04:10 putsuka