error loading config: no matching creation rules found when encryption with inline key parameters (eg: --age --kms)

[yunerou]

Running following command in a directory doesn't contain .sops.yaml:

sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret.json

got results:

error loading config: no matching creation rules found

This is clearly a bug since creation rules should not be required when specific key is provided.

Affect:

• It's not back-compatible with old shell script that using env_var then for loop all files in dir to encrypt

===
SOPS version: sops 3.9.4

[duthils]

I can't reproduce the issue in a clean directory:

$ mkdir /tmp/reproduce
$ cd /tmp/reproduce
$ echo '{"test": "value"}' > mysecret.json
$ sops --version
sops 3.9.4 (latest)
$ sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret.json
{
        "test": "ENC[AES256_GCM,data:nbFjo0s=,iv:a1bYzjEVI+yGMD7VNtFU3OgAl5QJ6tbRj1ofIjvIZNo=,tag:SuyEWzpjFBmGaBYLtWsDcg==,type:str]",
        "sops": {
                ...
        }
}

Would you have something in your environment variables?

env | grep -i sops

[yunerou]

I've already use it without any errors. Maybe i'm wrong although in history | grep i tried this many times yesterday

[felixfontein]

Do you have a .sops.yaml in the directory or somewhere further up the tree? @duthils's reproducer likely won't have one (usually you don't have a SOPS config in / or /tmp/), but depending on where you run sops you might have one.

[yunerou]

@felixfontein @duthils

You're right. It's only throw error when there's .sops.yaml in the parent directory. Howerver, it's only error in some cases .sops.yaml not contain sub-dir. It's hard to describe in English but I give you some test cases and you can reproduce

I reproduce in below step

Test case

Prepare a directory for testing => Remove $HOME/dosthsops for cleaning

cd $HOME
mkdir dosthsops
cd dosthsops
touch .sops.yaml
echo '{"test": "value"}' > mysecret1.json
mkdir not-registed-path && echo '{"test": "value"}' > not-registed-path/mysecret2.json
mkdir registed-path && echo '{"test": "value"}' > registed-path/mysecret3.json

test case 1: -> .sops.yaml is a empty file

cd $HOME/dosthsops
rm .sops.yaml
touch .sops.yaml
echo
echo "secret1"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret1.json
echo
echo "secret2"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e not-registed-path/mysecret2.json
echo
echo "cd && secret2"
cd not-registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret2.json 
cd -
echo
echo "secret3"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e registed-path/mysecret3.json
echo
echo "cd && secret3"
cd registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret3.json 
cd -

test case 2: -> .sops.yaml has empty rules

cd $HOME/dosthsops
rm .sops.yaml
cat >> .sops.yaml<< EOF
creation_rules: []
EOF
echo
echo "secret1"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret1.json
echo
echo "secret2"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e not-registed-path/mysecret2.json
echo
echo "cd && secret2"
cd not-registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret2.json 
cd -
echo
echo "secret3"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e registed-path/mysecret3.json
echo
echo "cd && secret3"
cd registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret3.json 
cd -

test case 3: -> .sops.yaml has a rule matching with sub-dir

cd $HOME/dosthsops
rm .sops.yaml
cat >> .sops.yaml<< EOF
creation_rules: 
  - path_regex: registed-path/.*\.(json|yaml|yml|env|txt)$
    age: "age15sq7kls08hzq8djpn26dda0fna3ccnw038568gcul9amjjjdaedq4xg2rr"
    encrypted_regex: "^(data|stringData)$"
EOF

echo
echo "secret1"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret1.json
echo
echo "secret2"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e not-registed-path/mysecret2.json
echo
echo "cd && secret2"
cd not-registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret2.json 
cd -
echo
echo "secret3"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e registed-path/mysecret3.json
echo
echo "cd && secret3"
cd registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret3.json 
cd -

test case 3: -> .sops.yaml has rules but not matching with any sub-dir

cd $HOME/dosthsops
rm .sops.yaml
cat >> .sops.yaml<< EOF
creation_rules: 
  - path_regex: something-else/.*\.(json|yaml|yml|env|txt)$
    age: "age15sq7kls08hzq8djpn26dda0fna3ccnw038568gcul9amjjjdaedq4xg2rr"
    encrypted_regex: "^(data|stringData)$"
EOF

echo
echo "secret1"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret1.json
echo
echo "secret2"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e not-registed-path/mysecret2.json
echo
echo "cd && secret2"
cd not-registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret2.json 
cd -
echo
echo "secret3"
sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e registed-path/mysecret3.json
echo
echo "cd && secret3"
cd registed-path && sops --age=age1xxfdafu5j4e5z7y5l6my6x07vjuh6unxersnwne4etpvykheq9gsj003fv -e mysecret3.json 
cd -

Result

• testcase 1&3 -> ok
• testcase 2&4 -> error