Skip to content

Add SOPS_GCP_KMS_CLIENT_TYPE environment variable support #1973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+26 −1
Open

Add SOPS_GCP_KMS_CLIENT_TYPE environment variable support #1973

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,14 @@ Or if you are logged in you can authorize by generating an access token:
$ export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"
By default, SOPS uses the gRPC client to communicate with GCP KMS. You can optionally
switch to the REST client by setting the ``SOPS_GCP_KMS_CLIENT_TYPE`` environment variable:
.. code:: sh
$ export SOPS_GCP_KMS_CLIENT_TYPE=rest # Use REST client
$ export SOPS_GCP_KMS_CLIENT_TYPE=grpc # Use gRPC client (default)
Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the
cloud console the get the ResourceID or you can create one using the gcloud
sdk:
Expand Down
19 changes: 18 additions & 1 deletion gcpkms/keysource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ const (
// SopsGoogleCredentialsOAuthTokenEnv is the environment variable used for the
// GCP OAuth 2.0 Token.
SopsGoogleCredentialsOAuthTokenEnv = "GOOGLE_OAUTH_ACCESS_TOKEN"
// SopsGCPKMSClientTypeEnv is the environment variable used to specify the
// GCP KMS client type. Valid values are "grpc" (default) and "rest".
SopsGCPKMSClientTypeEnv = "SOPS_GCP_KMS_CLIENT_TYPE"
// KeyTypeIdentifier is the string used to identify a GCP KMS MasterKey.
KeyTypeIdentifier = "gcp_kms"
)
Expand Down Expand Up @@ -294,7 +297,21 @@ func (key *MasterKey) newKMSClient(ctx context.Context) (*kms.KeyManagementClien
}
}

client, err := kms.NewKeyManagementClient(ctx, opts...)
// Select client type based on environment variable
clientType := os.Getenv(SopsGCPKMSClientTypeEnv)
var client *kms.KeyManagementClient
var err error

switch strings.ToLower(clientType) {
case "rest":
client, err = kms.NewKeyManagementRESTClient(ctx, opts...)
case "grpc", "":
// Default to gRPC client when not specified or explicitly set to "grpc"
client, err = kms.NewKeyManagementClient(ctx, opts...)
default:
return nil, fmt.Errorf("invalid client type %q specified in %s environment variable: valid values are 'grpc' or 'rest'", clientType, SopsGCPKMSClientTypeEnv)
}

if err != nil {
return nil, err
}
Expand Down
Loading