Aug 6, 2024 · Aug 26, 2024 · Aug 26, 2024 · Aug 9, 2024 · Aug 12, 2024 · Jul 30, 2024
diff --git a/README.rst b/README.rst

 Encrypting using GCP KMS
 ~~~~~~~~~~~~~~~~~~~~~~~~
 GCP KMS uses `Application Default Credentials
 <https://developers.google.com/identity/protocols/application-default-credentials>`_.
 GCP KMS has support for authorization with the use of `Application Default Credentials
 <https://developers.google.com/identity/protocols/application-default-credentials>`_ and using an oauth2 token.
 Application default credentials precedes the use of access token.

 Using Application Default Credentials you can authorize by doing this:

 If you already logged in using

 .. code:: sh

    $ gcloud auth application-default login

 Using oauth tokens you can authorize by doing this:

 .. code:: sh

    $ export GOOGLE_OAUTH_ACCESS_TOKEN=<your access token>

 Or if you are logged in you can authorize by generating an access token:

 .. code:: sh

    $ export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"


 Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the
 cloud console the get the ResourceID or you can create one using the gcloud
 sdk:

     $ sops decrypt test.enc.yaml


 Encrypting using Azure Key Vault
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go
 kms "cloud.google.com/go/kms/apiv1"
 "cloud.google.com/go/kms/apiv1/kmspb"
 "github.com/sirupsen/logrus"
 "golang.org/x/oauth2"
 "google.golang.org/api/option"
 "google.golang.org/grpc"

 // a path to a credentials file, or directly as the variable's value in JSON
 // format.
 SopsGoogleCredentialsEnv = "GOOGLE_CREDENTIALS"
 // SopsGoogleCredentialsOAuthToken is the environment variable used for the
 // GCP Oauth2 Token.
 SopsGoogleCredentialsOAuthToken = "GOOGLE_OAUTH_ACCESS_TOKEN"
 // KeyTypeIdentifier is the string used to identify a GCP KMS MasterKey.
 KeyTypeIdentifier = "gcp_kms"
 )
 return KeyTypeIdentifier
 }

 // newKMSClient returns a GCP KMS client configured with the credentialJSON
 // and/or grpcConn, falling back to environmental defaults.
 // newKMSClient returns a GCP KMS client configured with the credentialJSON,
 //tokenSourceand/or grpcConn, falling back to environmental defaults.
 // It returns an error if the ResourceID is invalid, or if the setup of the
 // client fails.
 func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
 case key.credentialJSON != nil:
 opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))
 default:
 credentials, err := getGoogleCredentials()
 if err != nil {
 return nil, err
 }
 credentials, err_credentials_file := getGoogleCredentials()
 if credentials != nil {
 opts = append(opts, option.WithCredentialsJSON(credentials))
 break
 }

 at_credentials, err_credentials_token := getGoogleOAuthToken()
 if at_credentials != nil {
 opts = append(opts, option.WithTokenSource(at_credentials))
 }

 if err_credentials_file != nil && err_credentials_token != nil {
 return nil, fmt.Errorf("credentials: failed to get credentials for gcp kms, add default credentials or oauth access token")
 }
 }

 if key.grpcConn != nil {
 opts = append(opts, option.WithGRPCConn(key.grpcConn))
 }

 ctx := context.Background()
 client,err := kms.NewKeyManagementClient(ctx, opts...)
 iferr != nil {
 return nil,err
 client,err_credentials := kms.NewKeyManagementClient(ctx, opts...)
 iferr_credentials != nil {
 return nil,err_credentials
 }

 return client, nil
 }

 // getGoogleCredentials returns the SopsGoogleCredentialsEnv variable, as
 // either the file contents of the path of a credentials file, or as value in
 // JSON format. It returns an error if the file cannot be read, and may return
 // a nil byte slice if no value is set.
 // JSON format.
 // It returns an error and a nil byte slice  if the environment variable is not set,
 // or the file cannot be read.
 func getGoogleCredentials() ([]byte, error) {
 if defaultCredentials, ok := os.LookupEnv(SopsGoogleCredentialsEnv); ok && len(defaultCredentials) > 0 {
 if _, err := os.Stat(defaultCredentials); err == nil {
 return os.ReadFile(defaultCredentials)
 }

 return []byte(defaultCredentials), nil
 }
 return nil, nil
 return nil, fmt.Errorf("could not find Google credential file")
 }

 // getGoogleOAuthToken returns the SopsGoogleCredentialsOauthToken variable,
 // as the oauth token.
 // It returns an error and a nil byte slice if the envrionment variable is not set.
 func getGoogleOAuthToken() (oauth2.TokenSource, error) {
 if token, isSet := os.LookupEnv(SopsGoogleCredentialsOAuthToken); isSet {
 tokenSource := oauth2.StaticTokenSource(
 &oauth2.Token{AccessToken: token},
 )

 return tokenSource, nil
 }

 return nil, fmt.Errorf("could not find Google OAuth token")
 }
diff --git a/gcpkms/keysource_test.go b/gcpkms/keysource_test.go
 })

 key := MasterKey{
 grpcConn:   newGRPCServer("0"),
 ResourceID: testResourceID,
 grpcConn:       newGRPCServer("0"),
 ResourceID:     testResourceID,
 credentialJSON: []byte("arbitrary credentials"),
 }
 err := key.Encrypt([]byte("encrypt"))
 assert.NoError(t, err)
 Plaintext: []byte(decryptedData),
 })
 key := MasterKey{
 grpcConn:     newGRPCServer("0"),
 ResourceID:   testResourceID,
 EncryptedKey: "encryptedKey",
 grpcConn:       newGRPCServer("0"),
 ResourceID:     testResourceID,
 EncryptedKey:   "encryptedKey",
 credentialJSON: []byte("arbitrary credentials"),
 }
 data, err := key.Decrypt()
 assert.NoError(t, err)
 }, key.ToMap())
 }

 funcTestMasterKey_createCloudKMSService(t *testing.T) {
 funcTestMasterKey_createCloudKMSService_withCredentialsFile(t *testing.T) {
 tests := []struct {
 key       MasterKey
 errString string
 "type": "authorized_user"}`),
 },
 },
 {
 key: MasterKey{
 ResourceID: testResourceID,
 },
 errString: "credentials: failed to get credentials",
 },
 }

 for _, tt := range tests {
 }
 }

 func TestMasterKey_createCloudKMSService_withOauthToken(t *testing.T) {
 t.Setenv(SopsGoogleCredentialsOAuthToken, "token")

 masterKey := MasterKey{
 ResourceID: testResourceID,
 }

 _, err := masterKey.newKMSClient()

 assert.NoError(t, err)
 }

 func TestMasterKey_createCloudKMSService_withoutCredentials(t *testing.T) {
 masterKey := MasterKey{
 ResourceID: testResourceID,
 }

 _, err := masterKey.newKMSClient()

 assert.Error(t, err)
 assert.ErrorContains(t, err, "credentials: failed to get credentials")
 }

 func newGRPCServer(port string) *grpc.ClientConn {
 serv := grpc.NewServer()
 kmspb.RegisterKeyManagementServiceServer(serv, &mockKeyManagement)
diff --git a/go.mod b/go.mod
 module github.com/getsops/sops/v3

 go 1.22

 toolchain go1.23.6

 require (
 github.com/urfave/cli v1.22.16
 golang.org/x/crypto v0.35.0
 golang.org/x/net v0.35.0
 golang.org/x/oauth2 v0.26.0
 golang.org/x/sys v0.30.0
 golang.org/x/term v0.29.0
 google.golang.org/api v0.223.0
 go.opentelemetry.io/otel/sdk v1.34.0 // indirect
 go.opentelemetry.io/otel/sdk/metric v1.33.0 // indirect
 go.opentelemetry.io/otel/trace v1.34.0 // indirect
 golang.org/x/oauth2 v0.26.0 // indirect
 golang.org/x/sync v0.11.0 // indirect
 golang.org/x/text v0.22.0 // indirect
 golang.org/x/time v0.10.0 // indirect
Original file line number	Diff line number	Diff line change
Expand Up		@@ -265,8 +265,12 @@ It is also possible to use ``updatekeys``, when adding or removing age recipient

		Encrypting using GCP KMS
		~~~~~~~~~~~~~~~~~~~~~~~~
		GCP KMS uses `Application Default Credentials
		<https://developers.google.com/identity/protocols/application-default-credentials>`_.
		GCP KMS has support for authorization with the use of `Application Default Credentials
		<https://developers.google.com/identity/protocols/application-default-credentials>`_ and using an oauth2 token.
		Application default credentials precedes the use of access token.

		Using Application Default Credentials you can authorize by doing this:

		If you already logged in using

		.. code:: sh
Expand All		@@ -279,6 +283,19 @@ you can enable application default credentials using the sdk:

		$ gcloud auth application-default login

		Using oauth tokens you can authorize by doing this:

		.. code:: sh

		$ export GOOGLE_OAUTH_ACCESS_TOKEN=<your access token>

		Or if you are logged in you can authorize by generating an access token:

		.. code:: sh

		$ export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"

devstein marked this conversation as resolved. Show resolvedHide resolved

		Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the
		cloud console the get the ResourceID or you can create one using the gcloud
		sdk:
Expand All		@@ -301,6 +318,7 @@ And decrypt it using::

		$ sops decrypt test.enc.yaml


		Encrypting using Azure Key Vault
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -53,8 +53,9 @@ func TestMasterKey_Encrypt(t *testing.T) {
		})

		key := MasterKey{
		grpcConn: newGRPCServer("0"),
		ResourceID: testResourceID,
		grpcConn: newGRPCServer("0"),
		ResourceID: testResourceID,
		credentialJSON: []byte("arbitrary credentials"),
		}
		err := key.Encrypt([]byte("encrypt"))
		assert.NoError(t, err)
Expand All		@@ -80,9 +81,10 @@ func TestMasterKey_Decrypt(t *testing.T) {
		Plaintext: []byte(decryptedData),
		})
		key := MasterKey{
		grpcConn: newGRPCServer("0"),
		ResourceID: testResourceID,
		EncryptedKey: "encryptedKey",
		grpcConn: newGRPCServer("0"),
		ResourceID: testResourceID,
		EncryptedKey: "encryptedKey",
		credentialJSON: []byte("arbitrary credentials"),
		}
		data, err := key.Decrypt()
		assert.NoError(t, err)
Expand DownExpand Up		@@ -116,7 +118,7 @@ func TestMasterKey_ToMap(t *testing.T) {
		}, key.ToMap())
		}

		funcTestMasterKey_createCloudKMSService(t *testing.T) {
		funcTestMasterKey_createCloudKMSService_withCredentialsFile(t *testing.T) {
		tests := []struct {
		key MasterKey
		errString string
Expand All		@@ -136,6 +138,12 @@ func TestMasterKey_createCloudKMSService(t *testing.T) {
		"type": "authorized_user"}`),
		},
		},
		{
		key: MasterKey{
		ResourceID: testResourceID,
		},
		errString: "credentials: failed to get credentials",
		},
		}

		for _, tt := range tests {
Expand All		@@ -149,6 +157,29 @@ func TestMasterKey_createCloudKMSService(t *testing.T) {
		}
		}

		func TestMasterKey_createCloudKMSService_withOauthToken(t *testing.T) {
		t.Setenv(SopsGoogleCredentialsOAuthToken, "token")

		masterKey := MasterKey{
		ResourceID: testResourceID,
		}

		_, err := masterKey.newKMSClient()

		assert.NoError(t, err)
		}

		func TestMasterKey_createCloudKMSService_withoutCredentials(t *testing.T) {
		masterKey := MasterKey{
		ResourceID: testResourceID,
		}

		_, err := masterKey.newKMSClient()

		assert.Error(t, err)
		assert.ErrorContains(t, err, "credentials: failed to get credentials")
		}

		func newGRPCServer(port string) *grpc.ClientConn {
		serv := grpc.NewServer()
		kmspb.RegisterKeyManagementServiceServer(serv, &mockKeyManagement)
Expand Down
Original file line number	Diff line number	Diff line change
		@@ -1,6 +1,7 @@
		module github.com/getsops/sops/v3

		go 1.22

Copy link Contributor felixfonteinMar 5, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Can you undo this change? Thanks.
		toolchain go1.23.6

		require (
Expand DownExpand Up		@@ -36,6 +37,7 @@ require (
		github.com/urfave/cli v1.22.16
		golang.org/x/crypto v0.35.0
		golang.org/x/net v0.35.0
		golang.org/x/oauth2 v0.26.0
		golang.org/x/sys v0.30.0
		golang.org/x/term v0.29.0
		google.golang.org/api v0.223.0
Expand DownExpand Up		@@ -139,7 +141,6 @@ require (
		go.opentelemetry.io/otel/sdk v1.34.0 // indirect
		go.opentelemetry.io/otel/sdk/metric v1.33.0 // indirect
		go.opentelemetry.io/otel/trace v1.34.0 // indirect
		golang.org/x/oauth2 v0.26.0 // indirect
		golang.org/x/sync v0.11.0 // indirect
		golang.org/x/text v0.22.0 // indirect
		golang.org/x/time v0.10.0 // indirect
Expand Down