Attention Iron Bank Customers: On March 27, 2025, we are moving SBOM artifacts from the Anchore Scan job to the Build job to streamline the container hardening pipeline. If you currently download SBOMs from the Anchore Scan job, you can still get them from the Build job and from other sources, including IBFE and image attestations.
@@ -94,14 +94,20 @@ SOPS uses `.sops.yaml` as a configuration file for which keys to use for newly c
### AWS KMS
1. Configure your KMS key(s) in your `.sops.yaml` by adding the target key's ARN to the `kms` field within each creation rule.
```yaml
creation_rules:
-encrypted_regex:'^(data|stringData)$'
path_regex:./dev/.*
kms:'<kms_key_arn>'
```
2. Ensure your cluster (specifically the `flux-system/flux-controller`) has access to the specified key.
1. For AWS deployments, this can be managed via IAM roles as [described in the SOPS documentation](https://github.com/mozilla/sops#28assuming-roles-and-using-kms-in-various-aws-accounts).
2. For non-AWS deployments
1. Create an AWS user with appropriate permissions.
1. Create an AWS user with appropriate permissions as [described in the SOPS documentation](https://github.com/mozilla/sops#28assuming-roles-and-using-kms-in-various-aws-accounts).
2. Create a secret named `sops-aws-creds` in the cluster using the access creds from the target user:
```bash
k create secret generic -n flux-system sops-aws-creds --from-literal=access_key_id=<key_id> --from-literal=access_key_secret=<key>
```
```bash
k create secret generic -n flux-system sops-aws-creds --from-literal=access_key_id=<key_id> --from-literal=access_key_secret=<key>
