@@ -3,16 +3,16 @@ package gcpkms //import "go.mozilla.org/sops/v3/gcpkms"
33import (
44 "encoding/base64"
55 "fmt"
6+ "google.golang.org/api/option"
7+ "os"
68 "regexp"
79 "strings"
810 "time"
911
1012 "go.mozilla.org/sops/v3/logging"
1113
12- "golang.org/x/net/context"
13- "golang.org/x/oauth2/google"
14-
1514 "github.com/sirupsen/logrus"
15+ "golang.org/x/net/context"
1616 cloudkms "google.golang.org/api/cloudkms/v1"
1717)
1818
@@ -131,12 +131,15 @@ func (key MasterKey) createCloudKMSService() (*cloudkms.Service, error) {
131131 }
132132
133133 ctx := context .Background ()
134- client , err := google .DefaultClient (ctx , cloudkms .CloudPlatformScope )
135- if err != nil {
134+ var options []option.ClientOption
135+
136+ if credentials , err := getGoogleCredentials (); err != nil {
136137 return nil , err
138+ } else if len (credentials ) > 0 {
139+ options = append (options , option .WithCredentialsJSON (credentials ))
137140 }
138141
139- cloudkmsService , err := cloudkms .New ( client )
142+ cloudkmsService , err := cloudkms .NewService ( ctx , options ... )
140143 if err != nil {
141144 return nil , err
142145 }
@@ -151,3 +154,16 @@ func (key MasterKey) ToMap() map[string]interface{} {
151154 out ["created_at" ] = key .CreationDate .UTC ().Format (time .RFC3339 )
152155 return out
153156}
157+
158+ // getGoogleCredentials looks for a GCP Service Account in the environment
159+ // variable: GOOGLE_CREDENTIALS, set as either a path to a credentials file or directly as the
160+ // variable's value in JSON format.
161+ //
162+ // If not set, will default to use GOOGLE_APPLICATION_CREDENTIALS
163+ func getGoogleCredentials () ([]byte , error ) {
164+ defaultCredentials := os .Getenv ("GOOGLE_CREDENTIALS" )
165+ if _ , err := os .Stat (defaultCredentials ); err == nil {
166+ return os .ReadFile (defaultCredentials )
167+ }
168+ return []byte (defaultCredentials ), nil
169+ }
0 commit comments