Read GCP key content from environment? #681
Comments
|
This functionality should probably be added to the GCP SDK instead.
Regardless, how are you able to get the sops file into the build
environment, but not a GCP credentials file?
…On Tue, 16 Jun 2020 at 07:48, Reid Beels ***@***.***> wrote:
The GCP KMS implementation uses Google's Application Default Credentials
scheme, which requires the path to a key file to be passed set as
GOOGLE_APPLICATION_CREDENTIALS.
We've run into a few places in our build process where we'd like to use
sops with the GCP KMS, but where it's not feasible for us to write
credentials to a file beforehand. Would it make sense for sops to provide
an environment variable to accept Google credentials as content instead of
as a path?
The Google API client offers an initialization method using credentials
content:
https://pkg.go.dev/google.golang.org/api/option?tab=doc#WithCredentialsJSON
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#681>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AARH4V7K4T3FBOEFV5BKCPDRW4BUFANCNFSM4N7I2AOA>
.
|
|
It's definitely something that should be added to the GCP SDK, but every discussion I've ever seen about it has ended with "we implement Application Default Credentials, that's just how it works". 😞 The specific use case that I was trying to make work is:
|
|
I might be wrong but my understanding is that GOOGLE_APPLICATION_CREDENTIALS can either be a path to the json credentials or the actual json credential contents? Could be worth testing if that would help your use case. |
|
The Application Default Credentials spec says it's a file path, and that's how the Go library implements it: The Google Auth clients for some other languages implement a way to pass credentials directly as a different environment variable, but there's no equivalent in Go. The official recommendation from the Go OAuth2 team is to use CredentialsFromJSON to construct a client if you want to pass JSON directly, which would have to be implemented as part of sops. |
|
Since a gcloud update we now see that GOOGLE_APPLICATION_CREDENTIALS is used for kubectl access, which stopped working as it points to a service account that only has decrypt perms. Blocker |
|
If we need to combine perms in one account we can (even tho its a pita), but is that documented? |
|
Any progress on this ? |
The GCP KMS implementation uses Google's Application Default Credentials scheme, which requires the path to a key file to be passed set as
GOOGLE_APPLICATION_CREDENTIALS.We've run into a few places in our build process where we'd like to use sops with the GCP KMS, but where it's not feasible for us to write credentials to a file beforehand. Would it make sense for sops to provide an environment variable to accept Google credentials as content instead of as a path?
The Google API client offers an initialization method using credentials content: https://pkg.go.dev/google.golang.org/api/option?tab=doc#WithCredentialsJSON
The text was updated successfully, but these errors were encountered: