diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index eee55433d..921aa9b8f 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -3,16 +3,16 @@ package gcpkms //import "go.mozilla.org/sops/v3/gcpkms" import ( "encoding/base64" "fmt" + "google.golang.org/api/option" + "os" "regexp" "strings" "time" "go.mozilla.org/sops/v3/logging" - "golang.org/x/net/context" - "golang.org/x/oauth2/google" - "github.com/sirupsen/logrus" + "golang.org/x/net/context" cloudkms "google.golang.org/api/cloudkms/v1" ) @@ -131,12 +131,15 @@ func (key MasterKey) createCloudKMSService() (*cloudkms.Service, error) { } ctx := context.Background() - client, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope) - if err != nil { + var options []option.ClientOption + + if credentials, err := getGoogleCredentials(); err != nil { return nil, err + } else if len(credentials) > 0 { + options = append(options, option.WithCredentialsJSON(credentials)) } - cloudkmsService, err := cloudkms.New(client) + cloudkmsService, err := cloudkms.NewService(ctx, options...) if err != nil { return nil, err } @@ -151,3 +154,16 @@ func (key MasterKey) ToMap() map[string]interface{} { out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339) return out } + +// getGoogleCredentials looks for a GCP Service Account in the environment +// variable: GOOGLE_CREDENTIALS, set as either a path to a credentials file or directly as the +// variable's value in JSON format. +// +// If not set, will default to use GOOGLE_APPLICATION_CREDENTIALS +func getGoogleCredentials() ([]byte, error) { + defaultCredentials := os.Getenv("GOOGLE_CREDENTIALS") + if _, err := os.Stat(defaultCredentials); err == nil { + return os.ReadFile(defaultCredentials) + } + return []byte(defaultCredentials), nil +} diff --git a/go.mod b/go.mod index 9eaede17a..46000dce2 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,6 @@ require ( go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 golang.org/x/net v0.0.0-20220420153159-1850ba15e1be - golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad google.golang.org/api v0.74.0 google.golang.org/grpc v1.45.0 @@ -103,6 +102,7 @@ require ( github.com/stretchr/objx v0.3.0 // indirect go.opencensus.io v0.23.0 // indirect go.uber.org/atomic v1.9.0 // indirect + golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect