Add support for gcp access token
We are facing a situation where we want to use short lived access tokens with a minimum of permissions for the kms, and not use static long lived credentials ✨
That is why we really want to add support for the use of gcp access tokens in sops using the environment variable GOOGLE_OAUTH_ACCESS_TOKEN (also used by Pulumi/Terrafrom).
Related to https://github.com/getsops/sops/pull/1358
Regarding the name of the env var, I would consider naming it GOOGLE_OAUTH_ACCESS_TOKEN.
This is used by Pulumi and Terraform, and has the same GOOGLE_* prefix as the existing GOOGLE_CREDENTIALS env var.
Also, which of the two should take precedence? In Pulumi it's GOOGLE_OAUTH_ACCESS_TOKEN.
There is a fair amount of overlap with #1794 where there does need to be some assessment between the two enhancements
There is a fair amount of overlap with #1794 where there does need to be some assessment between the two enhancements
Hey @sabre1041 I disagree, there's no overlap here. The two PRs are introducing two different methods of authentication and can be merged independently. This one just needs to rename the method to emphasize the fact that it retrieves the token from an environment variable, and not from a generic oauth2.TokenSource passed in memory like the other one.
In the end the switch-case from newKMSClient() should look like this:
switch {
case key.tokenSource != nil:
opts = append(opts, option.WithTokenSource(key.tokenSource))
case key.credentialJSON != nil:
opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))
default:
credentials, errCredentialsFile := getGoogleCredentials()
if credentials != nil {
opts = append(opts, option.WithCredentialsJSON(credentials))
break
}
atCredentials, errCredentialsToken := getGoogleOAuthTokenFromEnv()
if atCredentials != nil {
opts = append(opts, option.WithTokenSource(atCredentials))
}
if errCredentialsFile != nil && errCredentialsToken != nil {
return nil, fmt.Errorf("credentials: failed to get credentials for gcp kms, add default credentials or oauth access token from env")
}
}
While going through all PRs I noticed that #1188 seems to do the same thing (from the general functionality point of view) as this one. So once this is done I guess we can close #1188. (If that's not correct, please tell me :) )
@marensofier can you please resolve the conflicts and address the comments? Thanks.
@sabre1041 @matheuscscp can you take another look at the latest version?
I'd also change the name of the PR to Add support for gcp access token from environment variable
@marensofier @warwick-mitchell1 @matheuscscp and everyone else involved in the PRs, thanks a lot for your contributions, reviews, and comments! I'm glad we finally got this resolved and merged :)