-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable control of GCP quota project id #1142
Comments
I think I found a good-enough work-around:
This removes |
onjen
added a commit
to onjen/sops
that referenced
this issue
Dec 6, 2024
Like described in the linked issue, if the GCP KMS key is stored in project foo, but the service account is created in project bar, sops complains that KMS API is not enabled in project bar. The quota project used by default is the one encoded in the service account key. With this commit, the behavior changes, so the project where the KMS key and API reside, is read from the key ID and set via the quota project option. Fixes getsops#1142
onjen
added a commit
to onjen/sops
that referenced
this issue
Dec 6, 2024
Like described in the linked issue, if the GCP KMS key is stored in project foo, but the service account is created in project bar, sops complains that KMS API is not enabled in project bar. The quota project used by default is the one encoded in the service account key. With this commit, the behavior changes, so the project where the KMS key and API reside, is read from the key ID and set via the quota project option. Fixes getsops#1142 Signed-off-by: Johannes Rothe <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Good day,
I ran into issue today when trying to decrypt a json file with a GCP KMS key stored in project
foo
- sops kept complaining that KMS API is not enabled in projectbar
.After running strace I figured out that sops is trying to use calling project_d as defined in
~/.config/gcloud/application_default_credentials.json
:One can change this value by running
gcloud auth application-default set-quota-project foo
but there is a problem with it - this setting is global per all your environment and there is no way to amend it with environment variables. That is, if I'm working on to projects on my machine I can set all gcloud SDK (not app default) options dynamically usingCLOUDSDK_...
env vars, e.g. throughdirenv
. However I can't do that forquota_project_id
hence it basically hinder me from using sops properly in two envs in parallel.I know it's not a sops problem but rather Cloud SDK limitation. However it will be great if sops can support extra GCP args and we could so something like:
This way we can isolate dev envs fully. What do you think?
The text was updated successfully, but these errors were encountered: