Like described in the linked issue, if the GCP KMS key is stored in
project foo, but the service account is created in project bar, sops
complains that KMS API is not enabled in project bar.
The quota project used by default is the one encoded in the service
account key. With this commit, the behavior changes, so the project
where the KMS key and API reside, is read from the key ID and set
via the quota project option.
Fixes #1142
Signed-off-by: Johannes Rothe <mail@johannes-rothe.de>
This change allows users to select between gRPC and REST clients for GCP KMS
by setting the SOPS_GCP_KMS_CLIENT_TYPE environment variable.
- Default: gRPC client (when not set or set to 'grpc')
- REST client: when set to 'rest'
- Updated documentation
Fixes #1570)
Signed-off-by: shin.fukami.nd <shin.fukami@nttdata.com>
Replace the logging of failed encryption and decryption attempts from
error to info level.
This to address a regression in which an encryption or decryption
attempt with a series of keys would result in a list of failed attempts
logged to stderr even when the operation itself eventually succeeded.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.
For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.
For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:
```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Most of the rewritten key sources introduced `WithError` calls, which
does not appear to go well with the UX of the CLI. This reverts it to
be the semi equal to current `master`.
During the diff, I noticed the current age implementation in master
does make use of `WithError`. Which makes me wonder if errors are not
returned twice at present in the CLI.
Signed-off-by: Hidde Beydals <hello@hidde.co>
By addressing the bug in the introduced logic around
the `GOOGLE_CREDENTIALS` environment variable.
The variable is now only taken into account when set, and actually
containing a value.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This updates the GCP KMS client to latest, adds more extensive test
coverage, and general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.
- Updates the deprecated `google.golang.org/api/cloudkms/v1` to
`cloud.google.com/go/kms/apiv1`.
- It introduces a `CredentialJSON` type which holds a Service Account
credential file, and can be applied to the `MasterKey`.
When applied, the provided credentials are used in the GCP KMS
service client configuration, instead of relying on
`GOOGLE_CREDENTIALS`, or the default client environment variables.
This is most useful when working with SOPS as an SDK, in combination
with e.g. a local key service server implementation.
- Test coverage.
The forked version of this has compatability (and integration) tests to
ensure it works with current SOPS:
- cbb0fc9df5/internal/sops/gcpkms/keysource_integration_test.go (L39)
- cbb0fc9df5/internal/sops/gcpkms/keysource_integration_test.go (L59)
Co-authored-by: Somtochi Onyekwere <somtochi@weave.works>
Signed-off-by: Hidde Beydals <hello@hidde.co>
