diff --git a/README.md b/README.md
index 00ae4f7..f04cf43 100644
--- a/README.md
+++ b/README.md
@@ -22,10 +22,13 @@ No modules.
| Name | Type |
| ---- | ---- |
| [aws_iam_access_key.admin_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_access_key.sops_secrets_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_openid_connect_provider.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
| [aws_iam_role.github_actions_sops_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.github_actions_sops_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_user.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user.sops_secrets_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user_policy.sops_secrets_operator_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
| [aws_iam_user_policy_attachment.admin_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_kms_alias.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
@@ -50,5 +53,7 @@ No inputs.
| [admin\_access\_keys](#output\_admin\_access\_keys) | Admin IAM user access keys |
| [github\_actions\_sops\_kms\_role\_arn](#output\_github\_actions\_sops\_kms\_role\_arn) | IAM role ARN for GitHub Actions SOPS KMS access |
| [sops\_kms\_key\_arn](#output\_sops\_kms\_key\_arn) | KMS key ARN for future SOPS AWS KMS recipients |
+| [sops\_secrets\_operator\_access\_key](#output\_sops\_secrets\_operator\_access\_key) | Access key for the k3s sops-secrets-operator to decrypt SOPS AWS KMS secrets |
+| [sops\_secrets\_operator\_iam\_user\_arn](#output\_sops\_secrets\_operator\_iam\_user\_arn) | IAM user ARN for the k3s sops-secrets-operator |
| [web\_bucket\_endpoints](#output\_web\_bucket\_endpoints) | Website endpoints for public web S3 buckets |
diff --git a/aws-iam.tf b/aws-iam.tf
index 1b5f6a7..c6962cc 100644
--- a/aws-iam.tf
+++ b/aws-iam.tf
@@ -17,3 +17,36 @@ resource "aws_iam_access_key" "admin_key" {
for_each = local.admin_users
user = aws_iam_user.admin[each.key].name
}
+
+resource "aws_iam_user" "sops_secrets_operator" {
+ name = "sops-secrets-operator"
+ force_destroy = false
+
+ tags = {
+ ManagedBy = "Terraform"
+ Purpose = "sops-secrets-operator"
+ }
+}
+
+resource "aws_iam_user_policy" "sops_secrets_operator_kms" {
+ name = "sops-kms-decrypt"
+ user = aws_iam_user.sops_secrets_operator.name
+
+ policy = jsonencode({
+ Version = "2012-10-17"
+ Statement = [
+ {
+ Effect = "Allow"
+ Action = [
+ "kms:Decrypt",
+ "kms:DescribeKey"
+ ]
+ Resource = aws_kms_key.sops.arn
+ }
+ ]
+ })
+}
+
+resource "aws_iam_access_key" "sops_secrets_operator" {
+ user = aws_iam_user.sops_secrets_operator.name
+}
diff --git a/outputs.tf b/outputs.tf
index e0ab005..017f229 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -24,3 +24,17 @@ output "github_actions_sops_kms_role_arn" {
description = "IAM role ARN for GitHub Actions SOPS KMS access"
value = aws_iam_role.github_actions_sops_kms.arn
}
+
+output "sops_secrets_operator_access_key" {
+ description = "Access key for the k3s sops-secrets-operator to decrypt SOPS AWS KMS secrets"
+ value = {
+ access_key_id = aws_iam_access_key.sops_secrets_operator.id
+ secret_access_key = aws_iam_access_key.sops_secrets_operator.secret
+ }
+ sensitive = true
+}
+
+output "sops_secrets_operator_iam_user_arn" {
+ description = "IAM user ARN for the k3s sops-secrets-operator"
+ value = aws_iam_user.sops_secrets_operator.arn
+}