sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

Add support for gcp access token

Open marensofier opened this issue 1 year ago • 2 comments

We are facing a situation where we want to use short lived access tokens with a minimum of permissions for the kms, and not use static long lived credentials ✨

That is why we really want to add support for the use of gcp access tokens in sops using the environment variable GOOGLE_OAUTH_ACCESS_TOKEN (also used by Pulumi/Terrafrom).

marensofier avatar Aug 06 '24 14:08 marensofier

Related to https://github.com/getsops/sops/pull/1358

devstein avatar Aug 18 '24 23:08 devstein

Regarding the name of the env var, I would consider naming it GOOGLE_OAUTH_ACCESS_TOKEN. This is used by Pulumi and Terraform, and has the same GOOGLE_* prefix as the existing GOOGLE_CREDENTIALS env var.

Also, which of the two should take precedence? In Pulumi it's GOOGLE_OAUTH_ACCESS_TOKEN.

christoffer-eide avatar Aug 19 '24 09:08 christoffer-eide

There is a fair amount of overlap with #1794 where there does need to be some assessment between the two enhancements

sabre1041 avatar Mar 27 '25 03:03 sabre1041

There is a fair amount of overlap with #1794 where there does need to be some assessment between the two enhancements

Hey @sabre1041 I disagree, there's no overlap here. The two PRs are introducing two different methods of authentication and can be merged independently. This one just needs to rename the method to emphasize the fact that it retrieves the token from an environment variable, and not from a generic oauth2.TokenSource passed in memory like the other one.

In the end the switch-case from newKMSClient() should look like this:

	switch {
	case key.tokenSource != nil:
		opts = append(opts, option.WithTokenSource(key.tokenSource))
	case key.credentialJSON != nil:
		opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))
	default:
		credentials, errCredentialsFile := getGoogleCredentials()
		if credentials != nil {
			opts = append(opts, option.WithCredentialsJSON(credentials))
			break
		}

		atCredentials, errCredentialsToken := getGoogleOAuthTokenFromEnv()
		if atCredentials != nil {
			opts = append(opts, option.WithTokenSource(atCredentials))
		}

		if errCredentialsFile != nil && errCredentialsToken != nil {
			return nil, fmt.Errorf("credentials: failed to get credentials for gcp kms, add default credentials or oauth access token from env")
		}
	}

matheuscscp avatar Mar 27 '25 10:03 matheuscscp

While going through all PRs I noticed that #1188 seems to do the same thing (from the general functionality point of view) as this one. So once this is done I guess we can close #1188. (If that's not correct, please tell me :) )

felixfontein avatar Mar 27 '25 20:03 felixfontein

@marensofier can you please resolve the conflicts and address the comments? Thanks.

felixfontein avatar Mar 28 '25 06:03 felixfontein

@sabre1041 @matheuscscp can you take another look at the latest version?

felixfontein avatar Mar 28 '25 18:03 felixfontein

I'd also change the name of the PR to Add support for gcp access token from environment variable

matheuscscp avatar Mar 28 '25 20:03 matheuscscp

@marensofier @warwick-mitchell1 @matheuscscp and everyone else involved in the PRs, thanks a lot for your contributions, reviews, and comments! I'm glad we finally got this resolved and merged :)

felixfontein avatar Mar 30 '25 13:03 felixfontein