Hi everybody 👋 I have an issue with the

Kubernetes Operator

and

GCP KMS

, because of a custom

backend

(first), and custom

secrets

provider (second), I have the below error in the logs.

Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/XXX/locations/europe-west6/keyRings/secrets/cryptoKeys/pulumi'

Anyone else faced the same issue?

Literally came up yesterday as well. You should be able to work around by setting

GOOGLE_APPLICATION_CREDENTIALS

?

Yes that was the plan 😛

That is what it's looking for, GOOGLE_APPLICATION_CREDENTIALS is a file path, GOOGLE_CREDENTIALS is the contents of that file.

Problem is that

FileSystem selects a file on the operator's file system

Ah right, I don't know if there's anyway to inject a file into the operator. Someone might have a work around but sounds like a good reason to priortise the fix for GOOGLE_CREDENTIALS. I'm off rest of this week but I'll nudge internally to see if someone can pick it up, it shouldn't be a hard thing to fix.

I have looked into it, and it won't be so easy to fix..

Hey, it's been a 4 day weekend here in the UK. I'll be looking into this this week.

Ah yes! the Queen Elizabeth II Jubilee!

I've picked up and merged https://github.com/pulumi/pulumi/pull/6379/ which should mean GOOGLE_CREDENTIALS is now picked up for secrets not just state storage. Should be in the release tomorrow.

Amazing! thank you very much @echoing-dinner-19531 👍