kms+role doesnt work properly with aws govcloud partition

[ryan-dyer-sp]

Am experiencing an issue where when trying to encrypt a file for the first time it fails when using a kms+role format in .sops.yaml

sops -e file.yaml
Could not generate data key: [failed to encrypt new data key with master key "arn:aws-us-gov:kms:us-gov-west-1:account:key/key+arn:aws-us-gov:iam::account:role/test": Failed to call KMS encryption service: NotFoundException: Invalid arn arn:aws-us-gov:kms:us-gov-west-1:account:key/key+arn:aws-us-gov:iam::account:role/test
        status code: 400, request id: id]

Contents of .sops.yaml

creation_rules:
  - path_regex: file.yaml
    kms: 'arn:aws-us-gov:kms:us-gov-west-1:account:key/key+arn:aws-us-gov:iam::account:role/test+arn:aws-us-gov:iam::account:role/test'
    aws_profile: ""

However if I change the sops.yaml to

creation_rules:
  - path_regex: file.yaml
    kms: 'arn:aws-us-gov:kms:us-gov-west-1:account:key/key+arn:aws-us-gov:iam::account:role/test'
    role: 'arn:aws-us-gov:iam::account:role/test'
    aws_profile: ""

the file will encrypt just fine.

However the encrypted file is missing the role metadata which we need for automation to decrypt the file. I can perform the same steps using a non-govcloud kms key and role and the encrypt works just fine.

[ryan-dyer-sp]

I may be wrong, but I'm guessing this is the offending line: https://github.com/mozilla/sops/blob/master/kms/keysource.go#L138

[ryan-dyer-sp]

Bump, how do we get someone to review the PR?

[muhendees]

Bump! Thank you @ryan-dyer-sp !! I've been using this branch for the last 4 months and never had ant issues. Can someone review this PR?