Skip to content

Commit cdad251

Browse files
authored
Merge pull request #953 from joshkaplinsky/develop
Support for GCP Service Account as JSON or Path in Default Application Credentials
2 parents 9eb7eb8 + 17fb03f commit cdad251

2 files changed

Lines changed: 23 additions & 7 deletions

File tree

gcpkms/keysource.go

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,16 +3,16 @@ package gcpkms //import "go.mozilla.org/sops/v3/gcpkms"
33
import (
44
"encoding/base64"
55
"fmt"
6+
"google.golang.org/api/option"
7+
"os"
68
"regexp"
79
"strings"
810
"time"
911

1012
"go.mozilla.org/sops/v3/logging"
1113

12-
"golang.org/x/net/context"
13-
"golang.org/x/oauth2/google"
14-
1514
"github.com/sirupsen/logrus"
15+
"golang.org/x/net/context"
1616
cloudkms "google.golang.org/api/cloudkms/v1"
1717
)
1818

@@ -131,12 +131,15 @@ func (key MasterKey) createCloudKMSService() (*cloudkms.Service, error) {
131131
}
132132

133133
ctx := context.Background()
134-
client, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope)
135-
if err != nil {
134+
var options []option.ClientOption
135+
136+
if credentials, err := getGoogleCredentials(); err != nil {
136137
return nil, err
138+
} else if len(credentials) > 0 {
139+
options = append(options, option.WithCredentialsJSON(credentials))
137140
}
138141

139-
cloudkmsService, err := cloudkms.New(client)
142+
cloudkmsService, err := cloudkms.NewService(ctx, options...)
140143
if err != nil {
141144
return nil, err
142145
}
@@ -151,3 +154,16 @@ func (key MasterKey) ToMap() map[string]interface{} {
151154
out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339)
152155
return out
153156
}
157+
158+
// getGoogleCredentials looks for a GCP Service Account in the environment
159+
// variable: GOOGLE_CREDENTIALS, set as either a path to a credentials file or directly as the
160+
// variable's value in JSON format.
161+
//
162+
// If not set, will default to use GOOGLE_APPLICATION_CREDENTIALS
163+
func getGoogleCredentials() ([]byte, error) {
164+
defaultCredentials := os.Getenv("GOOGLE_CREDENTIALS")
165+
if _, err := os.Stat(defaultCredentials); err == nil {
166+
return os.ReadFile(defaultCredentials)
167+
}
168+
return []byte(defaultCredentials), nil
169+
}

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,6 @@ require (
2828
go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a
2929
golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4
3030
golang.org/x/net v0.0.0-20220420153159-1850ba15e1be
31-
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
3231
golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
3332
google.golang.org/api v0.74.0
3433
google.golang.org/grpc v1.45.0
@@ -103,6 +102,7 @@ require (
103102
github.com/stretchr/objx v0.3.0 // indirect
104103
go.opencensus.io v0.23.0 // indirect
105104
go.uber.org/atomic v1.9.0 // indirect
105+
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
106106
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
107107
golang.org/x/text v0.3.7 // indirect
108108
golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect

0 commit comments

Comments
 (0)