GCP KMS: Support the option.WithTokenSource() for the GCP KMS client, similar to kms.CredentialsProvider and azkv.TokenCredential
#1792
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
First of all, thank you so very much for SOPS! In my opinion it powers a very critical component of GitOps. I'm a Flux core maintainer so you can guess how much I love GitOps and consequently how much I also love SOPS :)
Now, on to the feature request :)
As a user I'd like the ability to use multi-tenant workload identity for decrypting SOPS-encrypted secrets in CNCF Flux through the
KustomizationAPI using GCP KMS. How I'm planning to do it on the Flux side is detailed in this section of the RFC for Multi-Tenant Workload Identity (RFC link).In order to enable this use case it is necessary to implement an interface for GCP KMS similar to the interfaces for AWS and Azure
kms.CredentialsProviderandazkv.TokenCredential. The equivalent interface for GCP would beoauth2.TokenSource. There are a number of ways how one could create an object that implements this interface, so this would definitely be very helpful for users of the GCP SOPS SDK, and hence would enable more advanced methods of GCP KMS authentication to be used for SOPS.I'm more than willing to contribute this feature, my plan is to open a PR next weekend, please consider reviewing it! 🙏 🙏 🙏
Edit: PR opened sooner
The text was updated successfully, but these errors were encountered: