fix(gcpkms): Set quota project to API project

Like described in the linked issue, if the GCP KMS key is stored in project foo, but the service account is created in project bar, sops complains that KMS API is not enabled in project bar. The quota project used by default is the one encoded in the service account key. With this commit, the behavior changes, so the project where the KMS key and API reside, is read from the key ID and set via the quota project option. Fixes #1142 Signed-off-by: Johannes Rothe <[email protected]>
getsops · Dec 6, 2024 · 1330a8a · 1330a8a
1 parent bb710f3
commit 1330a8a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go
@@ -208,13 +208,14 @@ func (key *MasterKey) TypeToIdentifier() string {
 // It returns an error if the ResourceID is invalid, or if the setup of the
 // client fails.
 func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
-	re := regexp.MustCompile(`^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`)
+	re := regexp.MustCompile(`^projects/(?P<project>[^/]+)/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`)
 	matches := re.FindStringSubmatch(key.ResourceID)
 	if matches == nil {
 		return nil, fmt.Errorf("no valid resource ID found in %q", key.ResourceID)
 	}
 
 	var opts []option.ClientOption
+	opts = append(opts, option.WithQuotaProject(matches[1]))
 	switch {
 	case key.credentialJSON != nil:
 		opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))