sops: Cannot create GCP KMS when using Google Workload Identity Federation
I’m authenticating and authorizing a GitHub Action workflow to impersonate a GCP service account using Workload Identity Federation, which has permissions to decrypt a SOPS-encrypted file. I’m using https://github.com/google-github-actions/auth to do so, which exports the GOOGLE_APPLICATION_CREDENTIALS environment variable and sets it to a generated credentials file. However, when it comes to using sops to decrypt the file, I encounter this error:
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
<*** path to GCP keyring ***>: FAILED
- | Cannot create GCP KMS service: google: error getting
| credentials using GOOGLE_APPLICATION_CREDENTIALS environment
| variable: unknown credential type: "external_account"
Indeed, this credential file is of type external_account, not service_account which would normally work.
The error is generated here. Looking further into this, I see the function is deprecated, and on top of that, the version of the pkg.go.dev/google.golang.org/api package used in sops is severely outdated.
My suspicion lays in the outdated google api package which may not support workload identity federation, but of course there may be other reason(s) for why it’s not supported.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 9
- Comments: 17 (1 by maintainers)
v3.7.3 has been released, and I can confirm sops now works with the workload identity federation kind of credentials 🎉
Thanks a lot @ajvb for the release ❤️
Hi @armand93420, I haven’t solved the issue, but figured out why. Turns out the GCP network is fairly unstable from where I was testing from, so every now or then I would get network connection errors causing the failure to decrypt. Wasn’t an issue to me as most of services have retries in place to deal with that. Glad to hear you solved your issue.
Hey all,
@AndreLobato idk if you solved your issue but I was getting an error about GCP KMS key not being found even though I followed the steps to create the key.
My issue was that I kept getting a failure trying to decrypt,encrypt,etc even though I had previously used the key. What I found out was that I originally created a IAM key from a service account awhile ago that was stored in a different project. I saved this config in my local gcloud CLI and it was overriding the project location. (How this worked the first time… idk) after running the below steps I was able to remove this error even in the latest release of SOPS.
`Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED projects/PROJECT_ID/locations/global/keyRings/sops/cryptoKeys/sops-key: FAILED - | Error decrypting key: googleapi: Error 403: Cloud Key | Management Service (KMS) API has not been used in project | PROJECT_ID before or it is disabled. Enable it by visiting | https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=PROJECT_ID | then retry. If you enabled this API recently, wait a few | minutes for the action to propagate to our systems and | retry. | Details: | [ | { | “@type”: “type.googleapis.com/google.rpc.Help”, | “links”: [ | { | “description”: “Google developers console API | activation”, | “url”: | “https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=PROJECT_ID” | } | ] | }, | { | “@type”: “type.googleapis.com/google.rpc.ErrorInfo”, | “domain”: “googleapis.com”, | “metadata”: { | “consumer”: “projects/PROJECT_ID”, | “service”: “cloudkms.googleapis.com” | }, | “reason”: “SERVICE_DISABLED” | } | ] | , accessNotConfigured`
Quick fix this run the following steps:
Cheers! Hope this helps someone
@kraxx The dependencies seem to have been updated in #1024, worth another look to see if this fixes the issue with Workload Identity Federation.