Encrypting using HuaweiCloud KMS
The HuaweiCloud KMS integration uses the default credential provider chain which tries several authentication methods, in this order:
- Environment variables:
HUAWEICLOUD_SDK_AK,HUAWEICLOUD_SDK_SK,HUAWEICLOUD_SDK_PROJECT_ID - Credentials file at
~/.huaweicloud/credentials - Instance metadata (when running on HuaweiCloud instances)
For example, you can use environment variables:
export HUAWEICLOUD_SDK_AK="your-access-key"
export HUAWEICLOUD_SDK_SK="your-secret-key"
export HUAWEICLOUD_SDK_PROJECT_ID="your-project-id"
Alternatively, you can create a credentials file at ~/.huaweicloud/credentials:
$ cat ~/.huaweicloud/credentials
[default]
ak = your-access-key
sk = your-secret-key
project_id = your-project-id
Encrypting/decrypting with HuaweiCloud KMS requires a KMS key ID in the format
region:key-uuid. You can get the key ID from the HuaweiCloud console or using
the HuaweiCloud API. The key ID format is region:key-uuid where:
regionis the HuaweiCloud region (e.g.,tr-west-1,cn-north-1)key-uuidis the UUID of the KMS key (e.g.,abc12345-6789-0123-4567-890123456789)
Now you can encrypt a file using:
$ sops encrypt --hckms tr-west-1:abc12345-6789-0123-4567-890123456789 test.yaml > test.enc.yaml
Or using the environment variable:
$ export SOPS_HUAWEICLOUD_KMS_IDS="tr-west-1:abc12345-6789-0123-4567-890123456789"
$ sops encrypt test.yaml > test.enc.yaml
And decrypt it using:
$ sops decrypt test.enc.yaml
You can also configure HuaweiCloud KMS keys in the .sops.yaml config file:
creation_rules:
- path_regex: \.hckms\.yaml$
hckms:
- tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234