Added support for access tokens in gcpkms #1358
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
christoffer-eide
force-pushed
the
add-support-for-gcp-kms-access-tokens
branch
2 times, most recently
from
797ef4f
to
26f3545
Compare
Signed-off-by: Christoffer Eide <[email protected]>
christoffer-eide
force-pushed
the
add-support-for-gcp-kms-access-tokens
branch
from
7a7136f
to
ec9a4a7
Compare
devstein
approved these changes
Dec 29, 2023
There was a problem hiding this comment.
Thanks for contributing @christoffer-eide 🥇
Looks good to me. Can you quickly fix the merge conflicts?
cc @getsops/maintainers if anyone else wants to take a look
devstein
reviewed
Dec 29, 2023
devstein
reviewed
Dec 29, 2023
There was a problem hiding this comment.
Can you add a note to the GCP KMS docs for others to discover this feature?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for access token (via the
GOOGLE_CREDENTIALSenv var).If the env var
GOOGLE_CREDENTIALSis not set, the gcloud sdk fetches an access token from the instance metadata endpointhttp://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token.In our workload on GKE, we don't want to use the access token returned by the metadata endpoint directly. We use this access token to impersonate another service account, which has the minimum of permissions required for the kms decrypt.
There is no facility to set access tokens in sops, only static (long lived) credentials via the credentials file/
GOOGLE_CREDENTIALS.