Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable control of GCP quota project id #1142

Closed
haizaar opened this issue Nov 11, 2022 · 1 comment · May be fixed by #1697
Closed

Enable control of GCP quota project id #1142

haizaar opened this issue Nov 11, 2022 · 1 comment · May be fixed by #1697

Comments

@haizaar
Copy link

haizaar commented Nov 11, 2022

Good day,
I ran into issue today when trying to decrypt a json file with a GCP KMS key stored in project foo - sops kept complaining that KMS API is not enabled in project bar.

After running strace I figured out that sops is trying to use calling project_d as defined in ~/.config/gcloud/application_default_credentials.json:

{
  "client_id": "...",
  "client_secret": "...",
  "quota_project_id": "bar",
  "refresh_token": "...",
  "type": "authorized_user"
}

One can change this value by running gcloud auth application-default set-quota-project foo but there is a problem with it - this setting is global per all your environment and there is no way to amend it with environment variables. That is, if I'm working on to projects on my machine I can set all gcloud SDK (not app default) options dynamically using CLOUDSDK_... env vars, e.g. through direnv. However I can't do that for quota_project_id hence it basically hinder me from using sops properly in two envs in parallel.

I know it's not a sops problem but rather Cloud SDK limitation. However it will be great if sops can support extra GCP args and we could so something like:

sops --decrypt --gcp-quota-project-id=$CLOUDSDK_CORE_PROJECT foo.json

This way we can isolate dev envs fully. What do you think?
@haizaar
Copy link
Author

haizaar commented Nov 11, 2022

I think I found a good-enough work-around:

gcloud auth application-default login --disable-quota-project

This removes quota_project_id from ~/.config/gcloud/application_default_credentials.json completely so SDK will use project owning the resource by default which is what I want in my case.

@haizaar haizaar closed this as completed Nov 11, 2022
onjen added a commit to onjen/sops that referenced this issue Dec 6, 2024
@onjen
fix(gcpkms): Set quota project to API project
65b5036 
Like described in the linked issue, if the GCP KMS key is stored in
project foo, but the service account is created in project bar, sops
complains that KMS API is not enabled in project bar.

The quota project used by default is the one encoded in the service
account key. With this commit, the behavior changes, so the project
where the KMS key and API reside, is read from the key ID and set
via the quota project option.

Fixes getsops#1142
@onjen onjen mentioned this issue Dec 6, 2024
Open
onjen added a commit to onjen/sops that referenced this issue Dec 6, 2024
@onjen
fix(gcpkms): Set quota project to API project
1330a8a 
Like described in the linked issue, if the GCP KMS key is stored in
project foo, but the service account is created in project bar, sops
complains that KMS API is not enabled in project bar.

The quota project used by default is the one encoded in the service
account key. With this commit, the behavior changes, so the project
where the KMS key and API reside, is read from the key ID and set
via the quota project option.

Fixes getsops#1142

Signed-off-by: Johannes Rothe <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(gcpkms): Set quota project to API project onjen/sops
1 participant
@haizaar