From 65b5036d7e05c755351a4d17e3d38f6f2be5feb6 Mon Sep 17 00:00:00 2001 From: Johannes Rothe Date: Fri, 6 Dec 2024 15:53:31 +0100 Subject: [PATCH] fix(gcpkms): Set quota project to API project Like described in the linked issue, if the GCP KMS key is stored in project foo, but the service account is created in project bar, sops complains that KMS API is not enabled in project bar. The quota project used by default is the one encoded in the service account key. With this commit, the behavior changes, so the project where the KMS key and API reside, is read from the key ID and set via the quota project option. Fixes #1142 --- gcpkms/keysource.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go index 8ff51357d..3aa54b6e1 100644 --- a/gcpkms/keysource.go +++ b/gcpkms/keysource.go @@ -208,13 +208,14 @@ func (key *MasterKey) TypeToIdentifier() string { // It returns an error if the ResourceID is invalid, or if the setup of the // client fails. func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) { - re := regexp.MustCompile(`^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`) + re := regexp.MustCompile(`^projects/(?P[^/]+)/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`) matches := re.FindStringSubmatch(key.ResourceID) if matches == nil { return nil, fmt.Errorf("no valid resource ID found in %q", key.ResourceID) } var opts []option.ClientOption + opts = append(opts, option.WithQuotaProject(matches[1])) switch { case key.credentialJSON != nil: opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))