feat(gcpkms): Add SOPS_GCP_KMS_CLIENT_TYPE environment variable support

This change allows users to select between gRPC and REST clients for GCP KMS by setting the SOPS_GCP_KMS_CLIENT_TYPE environment variable. - Default: gRPC client (when not set or set to 'grpc') - REST client: when set to 'rest' - Updated documentation Fixes #1570） Signed-off-by: shin.fukami.nd <shin.fukami@nttdata.com>
2026-02-05 12:45:21 +01:00 · 2025-10-14 13:22:23 +09:00
parent 54c17ccb27
commit d6673932f8
2 changed files with 44 additions and 1 deletions
--- a/README.rst
+++ b/README.rst
@@ -309,6 +309,14 @@ Or if you are logged in you can authorize by generating an access token:

    $ export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"

+By default, SOPS uses the gRPC client to communicate with GCP KMS. You can optionally
+switch to the REST client by setting the ``SOPS_GCP_KMS_CLIENT_TYPE`` environment variable:
+
+.. code:: sh
+
+    $ export SOPS_GCP_KMS_CLIENT_TYPE=rest  # Use REST client
+    $ export SOPS_GCP_KMS_CLIENT_TYPE=grpc  # Use gRPC client (default)
+
 Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the
 cloud console the get the ResourceID or you can create one using the gcloud
 sdk:
--- a/gcpkms/keysource.go
+++ b/gcpkms/keysource.go
@@ -27,6 +27,9 @@ const (
 	// SopsGoogleCredentialsOAuthTokenEnv is the environment variable used for the
 	// GCP OAuth 2.0 Token.
 	SopsGoogleCredentialsOAuthTokenEnv = "GOOGLE_OAUTH_ACCESS_TOKEN"
+	// SopsGCPKMSClientTypeEnv is the environment variable used to specify the
+	// GCP KMS client type. Valid values are "grpc" (default) and "rest".
+	SopsGCPKMSClientTypeEnv = "SOPS_GCP_KMS_CLIENT_TYPE"
 	// KeyTypeIdentifier is the string used to identify a GCP KMS MasterKey.
 	KeyTypeIdentifier = "gcp_kms"
 )
@@ -68,6 +71,10 @@ type MasterKey struct {
 	grpcConn *grpc.ClientConn
 	// grpcDialOpts are the gRPC dial options used to create the gRPC connection.
 	grpcDialOpts []grpc.DialOption
+	// useRESTClient indicates whether to use the REST client for GCP KMS.
+	useRESTClient bool
+	// clientOpts are the client options used to create the GCP KMS client.
+	clientOpts []option.ClientOption
 }

 // NewMasterKeyFromResourceID creates a new MasterKey with the provided resource
@@ -126,6 +133,22 @@ func (d DialOptions) ApplyToMasterKey(key *MasterKey) {
 	key.grpcDialOpts = d
 }

+// UseRESTClient configures the MasterKey to use the REST client for GCP KMS.
+type UseRESTClient struct{}
+
+// ApplyToMasterKey configures the MasterKey to use the REST client for GCP KMS.
+func (UseRESTClient) ApplyToMasterKey(key *MasterKey) {
+	key.useRESTClient = true
+}
+
+// ClientOptions are the client options used to create the GCP KMS client.
+type ClientOptions []option.ClientOption
+
+// ApplyToMasterKey configures the ClientOptions on the provided key.
+func (c ClientOptions) ApplyToMasterKey(key *MasterKey) {
+	key.clientOpts = c
+}
+
 // Encrypt takes a SOPS data key, encrypts it with GCP KMS, and stores the
 // result in the EncryptedKey field.
 //
@@ -294,7 +317,19 @@ func (key *MasterKey) newKMSClient(ctx context.Context) (*kms.KeyManagementClien
 		}
 	}

-	client, err := kms.NewKeyManagementClient(ctx, opts...)
+	// Add extra options.
+	opts = append(opts, key.clientOpts...)
+
+	// Select client type based on inputs.
+	clientType := strings.ToLower(os.Getenv(SopsGCPKMSClientTypeEnv))
+	var client *kms.KeyManagementClient
+	var err error
+	switch {
+	case clientType == "rest", key.useRESTClient:
+		client, err = kms.NewKeyManagementRESTClient(ctx, opts...)
+	default:
+		client, err = kms.NewKeyManagementClient(ctx, opts...)
+	}
 	if err != nil {
 		return nil, err
 	}