vmm-cli: require --kms-url when using --env-file #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

kvinwang merged 1 commit into master from fix/vmm-cli-require-kms-with-env-file

Jan 25, 2026

vmm/src/vmm-cli.py

-Original file line number
+Diff line change
@@ Expand Up / @@ -520,6 +520,11 @@ def calc_app_id(self, compose_file: str) -> str: @@
         def create_app_compose(self, args) -> None:
             """Create a new app compose file"""
             envs = parse_env_file(args.env_file) or {}
+            # Validate: --env-file requires --kms
+            if envs and not args.kms:
+                raise Exception("--env-file requires --kms to enable KMS for environment variable decryption")
             app_compose = {
                 "manifest_version": 2,
                 "name": args.name,
@@ Expand Down Expand Up / @@ -565,6 +570,17 @@ def create_vm(self, args) -> None: @@
             envs = parse_env_file(args.env_file)
+            # Validate: --env-file requires --kms-url and kms_enabled in compose
+            if envs:
+                if not args.kms_url:
+                    raise Exception("--env-file requires --kms-url to encrypt environment variables")
+                try:
+                    compose_json = json.loads(compose_content)
+                    if not compose_json.get('kms_enabled', False):
+                        raise Exception("--env-file requires kms_enabled=true in the compose file (use --kms when creating compose)")
+                except json.JSONDecodeError:
+                    pass  # Let the server handle invalid JSON
             # Read user config file if provided
             user_config = ""
             if args.user_config:
@@ Expand Down Expand Up / @@ -620,6 +636,10 @@ def create_vm(self, args) -> None: @@
         def update_vm_env(self, vm_id: str, envs: Dict[str, str], kms_urls: Optional[List[str]] = None) -> None:
             """Update environment variables for a VM"""
+            # Validate: requires --kms-url
+            if not kms_urls:
+                raise Exception("--kms-url is required to encrypt environment variables")
             envs = envs or {}
             # First get the VM info to retrieve the app_id
             vm_info_response = self.rpc_call('GetInfo', {'id': vm_id})
@@ Expand Down Expand Up / @@ -709,6 +729,10 @@ def update_vm( @@
             no_tee: Optional[bool] = None,
         ) -> None:
             """Update multiple aspects of a VM in one command"""
+            # Validate: --env-file requires --kms-url
+            if env_file and not kms_urls:
+                raise Exception("--env-file requires --kms-url to encrypt environment variables")
             updates = []
             # handle resize operations (vcpu, memory, disk, image)
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vmm-cli: require --kms-url when using --env-file #462

Uh oh!

Diff view

Diff view

There are no files selected for viewing