From ea8b3bb31dcee893f792fe34c437cf1b69828c84 Mon Sep 17 00:00:00 2001 From: "Kaplinsky, Joshua B" Date: Wed, 27 Oct 2021 12:08:06 -0500 Subject: [PATCH 1/3] support gcp credentials as env var --- gcpkms/keysource.go | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index eee55433d..d3514f5b6 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -3,16 +3,17 @@ package gcpkms //import "go.mozilla.org/sops/v3/gcpkms" import ( "encoding/base64" "fmt" + "google.golang.org/api/option" + "io/ioutil" + "os" "regexp" "strings" "time" "go.mozilla.org/sops/v3/logging" - "golang.org/x/net/context" - "golang.org/x/oauth2/google" - "github.com/sirupsen/logrus" + "golang.org/x/net/context" cloudkms "google.golang.org/api/cloudkms/v1" ) @@ -131,12 +132,13 @@ func (key MasterKey) createCloudKMSService() (*cloudkms.Service, error) { } ctx := context.Background() - client, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope) + + creds, err := getDefaultApplicationCredentials() if err != nil { return nil, err } - cloudkmsService, err := cloudkms.New(client) + cloudkmsService, err := cloudkms.NewService(ctx, option.WithCredentialsJSON(creds)) if err != nil { return nil, err } @@ -151,3 +153,19 @@ func (key MasterKey) ToMap() map[string]interface{} { out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339) return out } + +// getDefaultApplicationCredentials allows for passing GCP Service Account +// Credentials as either a path to a file, or directly as an environment variable +// in JSON format. +func getDefaultApplicationCredentials() (token []byte, err error) { + var defaultCredentials = os.Getenv("GOOGLE_APPLICATION_CREDENTIALS") + + if _, err := os.Stat(defaultCredentials); err == nil { + if token, err = ioutil.ReadFile(defaultCredentials); err != nil { + return nil, err + } + } else { + token = []byte(defaultCredentials) + } + return +} \ No newline at end of file From c0dc48401a592324915816ee44f75979933d455a Mon Sep 17 00:00:00 2001 From: Josh Kaplinsky Date: Tue, 18 Jan 2022 08:41:00 -0600 Subject: [PATCH 2/3] Update keysource.go --- gcpkms/keysource.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index d3514f5b6..6aed39935 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -158,7 +158,7 @@ func (key MasterKey) ToMap() map[string]interface{} { // Credentials as either a path to a file, or directly as an environment variable // in JSON format. func getDefaultApplicationCredentials() (token []byte, err error) { - var defaultCredentials = os.Getenv("GOOGLE_APPLICATION_CREDENTIALS") + var defaultCredentials = os.Getenv("GOOGLE_CREDENTIALS") if _, err := os.Stat(defaultCredentials); err == nil { if token, err = ioutil.ReadFile(defaultCredentials); err != nil { From 4ffb54c791bbef418729d1635cef7bf747706db4 Mon Sep 17 00:00:00 2001 From: Josh Kaplinsky <37640086+joshkaplinsky@users.noreply.github.com> Date: Tue, 3 May 2022 18:30:15 -0500 Subject: [PATCH 3/3] Use custom GOOGLE_CREDENTIALS or fallback to default --- gcpkms/keysource.go | 32 +++++++++++++++----------------- go.mod | 2 +- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index 6aed39935..921aa9b8f 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -4,7 +4,6 @@ import ( "encoding/base64" "fmt" "google.golang.org/api/option" - "io/ioutil" "os" "regexp" "strings" @@ -132,13 +131,15 @@ func (key MasterKey) createCloudKMSService() (*cloudkms.Service, error) { } ctx := context.Background() + var options []option.ClientOption - creds, err := getDefaultApplicationCredentials() - if err != nil { + if credentials, err := getGoogleCredentials(); err != nil { return nil, err + } else if len(credentials) > 0 { + options = append(options, option.WithCredentialsJSON(credentials)) } - cloudkmsService, err := cloudkms.NewService(ctx, option.WithCredentialsJSON(creds)) + cloudkmsService, err := cloudkms.NewService(ctx, options...) if err != nil { return nil, err } @@ -154,18 +155,15 @@ func (key MasterKey) ToMap() map[string]interface{} { return out } -// getDefaultApplicationCredentials allows for passing GCP Service Account -// Credentials as either a path to a file, or directly as an environment variable -// in JSON format. -func getDefaultApplicationCredentials() (token []byte, err error) { - var defaultCredentials = os.Getenv("GOOGLE_CREDENTIALS") - +// getGoogleCredentials looks for a GCP Service Account in the environment +// variable: GOOGLE_CREDENTIALS, set as either a path to a credentials file or directly as the +// variable's value in JSON format. +// +// If not set, will default to use GOOGLE_APPLICATION_CREDENTIALS +func getGoogleCredentials() ([]byte, error) { + defaultCredentials := os.Getenv("GOOGLE_CREDENTIALS") if _, err := os.Stat(defaultCredentials); err == nil { - if token, err = ioutil.ReadFile(defaultCredentials); err != nil { - return nil, err - } - } else { - token = []byte(defaultCredentials) + return os.ReadFile(defaultCredentials) } - return -} \ No newline at end of file + return []byte(defaultCredentials), nil +} diff --git a/go.mod b/go.mod index d83338a2e..acfd52ec2 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,6 @@ require ( go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a golang.org/x/crypto v0.0.0-20220307211146-efcb8507fb70 golang.org/x/net v0.0.0-20220225172249-27dd8689420f - golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 google.golang.org/api v0.71.0 google.golang.org/grpc v1.44.0 @@ -101,6 +100,7 @@ require ( github.com/stretchr/objx v0.3.0 // indirect go.opencensus.io v0.23.0 // indirect go.uber.org/atomic v1.9.0 // indirect + golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect