Good day,
I ran into issue today when trying to decrypt a json file with a GCP KMS key stored in project foo - sops kept complaining that KMS API is not enabled in project bar.

After running strace I figured out that sops is trying to use calling project_d as defined in ~/.config/gcloud/application_default_credentials.json:

{
  "client_id": "...",
  "client_secret": "...",
  "quota_project_id": "bar",
  "refresh_token": "...",
  "type": "authorized_user"
}

One can change this value by running gcloud auth application-default set-quota-project foo but there is a problem with it - this setting is global per all your environment and there is no way to amend it with environment variables. That is, if I'm working on to projects on my machine I can set all gcloud SDK (not app default) options dynamically using CLOUDSDK_... env vars, e.g. through direnv. However I can't do that for quota_project_id hence it basically hinder me from using sops properly in two envs in parallel.

I know it's not a sops problem but rather Cloud SDK limitation. However it will be great if sops can support extra GCP args and we could so something like:

sops --decrypt --gcp-quota-project-id=$CLOUDSDK_CORE_PROJECT foo.json

This way we can isolate dev envs fully. What do you think?