https://pulumi.com logo
Title
n

narrow-translator-93508

06/01/2022, 2:31 PM
Hi everybody 👋 I have an issue with the
Kubernetes Operator
and
GCP KMS
, because of a custom
backend
(first), and custom
secrets
provider (second), I have the below error in the logs.
Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/XXX/locations/europe-west6/keyRings/secrets/cryptoKeys/pulumi'
Anyone else faced the same issue?
I think I found the issue 👉 https://github.com/pulumi/pulumi/issues/3919
e

echoing-dinner-19531

06/01/2022, 2:46 PM
Literally came up yesterday as well. You should be able to work around by setting
GOOGLE_APPLICATION_CREDENTIALS
?
n

narrow-translator-93508

06/01/2022, 2:46 PM
Yes that was the plan 😛
Looks like I can't pass
JSON
into it, it is looking for a file path.. 🤔
Any idea @echoing-dinner-19531?
e

echoing-dinner-19531

06/01/2022, 2:59 PM
That is what it's looking for, GOOGLE_APPLICATION_CREDENTIALS is a file path, GOOGLE_CREDENTIALS is the contents of that file.
n

narrow-translator-93508

06/01/2022, 3:34 PM
Problem is that
FileSystem selects a file on the operator's file system
e

echoing-dinner-19531

06/01/2022, 3:46 PM
Ah right, I don't know if there's anyway to inject a file into the operator. Someone might have a work around but sounds like a good reason to priortise the fix for GOOGLE_CREDENTIALS. I'm off rest of this week but I'll nudge internally to see if someone can pick it up, it shouldn't be a hard thing to fix.
1
🙏 1
n

narrow-translator-93508

06/02/2022, 7:10 AM
I have looked into it, and it won't be so easy to fix..
It's using a third party google library
A possible workaround would mean using
Workload Identity
Interesting ideas in that issue https://github.com/google/go-cloud/issues/3108
@echoing-dinner-19531 ping?
e

echoing-dinner-19531

06/06/2022, 9:57 AM
Hey, it's been a 4 day weekend here in the UK. I'll be looking into this this week.
🙌 1
n

narrow-translator-93508

06/06/2022, 10:16 AM
Ah yes! the Queen Elizabeth II Jubilee!
e

echoing-dinner-19531

06/07/2022, 3:03 PM
I've picked up and merged https://github.com/pulumi/pulumi/pull/6379/ which should mean GOOGLE_CREDENTIALS is now picked up for secrets not just state storage. Should be in the release tomorrow.
🙌 1
n

narrow-translator-93508

06/07/2022, 3:05 PM
Amazing! thank you very much @echoing-dinner-19531 👍