Skip to content

Commit f495885

Browse files
authored
Merge pull request #1249 from getsops/fix-gcp-app-defaults
gcpkms: allow use of Google default credentials
2 parents 1475933 + b700bef commit f495885

1 file changed

Lines changed: 7 additions & 5 deletions

File tree

gcpkms/keysource.go

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -217,7 +217,7 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
217217
return nil, err
218218
}
219219
if credentials != nil {
220-
opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))
220+
opts = append(opts, option.WithCredentialsJSON(credentials))
221221
}
222222
}
223223
if key.grpcConn != nil {
@@ -238,9 +238,11 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
238238
// JSON format. It returns an error if the file cannot be read, and may return
239239
// a nil byte slice if no value is set.
240240
func getGoogleCredentials() ([]byte, error) {
241-
defaultCredentials := os.Getenv(SopsGoogleCredentialsEnv)
242-
if _, err := os.Stat(defaultCredentials); err == nil {
243-
return os.ReadFile(defaultCredentials)
241+
if defaultCredentials, ok := os.LookupEnv(SopsGoogleCredentialsEnv); ok && len(defaultCredentials) > 0 {
242+
if _, err := os.Stat(defaultCredentials); err == nil {
243+
return os.ReadFile(defaultCredentials)
244+
}
245+
return []byte(defaultCredentials), nil
244246
}
245-
return []byte(defaultCredentials), nil
247+
return nil, nil
246248
}

0 commit comments

Comments
 (0)