https://pulumi.com logo
Join Slack
Powered by
Hi everybody :wave: I have an issue with the `Kub...
# general
n
Hi everybody 👋 I have an issue with the 
Kubernetes Operator
and 
GCP KMS
, because of a custom 
backend
(first), and custom 
secrets
provider (second), I have the below error in the logs.
Copy code
Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/XXX/locations/europe-west6/keyRings/secrets/cryptoKeys/pulumi'
Anyone else faced the same issue?
I think I found the issue 👉 https://github.com/pulumi/pulumi/issues/3919
e
Literally came up yesterday as well. You should be able to work around by setting 
GOOGLE_APPLICATION_CREDENTIALS
?
n
Yes that was the plan 😛
Looks like I can't pass 
JSON
into it, it is looking for a file path.. 🤔
Any idea @echoing-dinner-19531?
e
That is what it's looking for, GOOGLE_APPLICATION_CREDENTIALS is a file path, GOOGLE_CREDENTIALS is the contents of that file.
n
Problem is that
Copy code
FileSystem selects a file on the operator's file system
e
Ah right, I don't know if there's anyway to inject a file into the operator. Someone might have a work around but sounds like a good reason to priortise the fix for GOOGLE_CREDENTIALS. I'm off rest of this week but I'll nudge internally to see if someone can pick it up, it shouldn't be a hard thing to fix.
1
🙏 1
n
I have looked into it, and it won't be so easy to fix..
It's using a third party google library
A possible workaround would mean using 
Workload Identity
Interesting ideas in that issue https://github.com/google/go-cloud/issues/3108
@echoing-dinner-19531 ping?
e
Hey, it's been a 4 day weekend here in the UK. I'll be looking into this this week.
🙌 1
n
Ah yes! the Queen Elizabeth II Jubilee!
e
I've picked up and merged https://github.com/pulumi/pulumi/pull/6379/ which should mean GOOGLE_CREDENTIALS is now picked up for secrets not just state storage. Should be in the release tomorrow.
🙌 1
n
Amazing! thank you very much @echoing-dinner-19531 👍
5 Views
Open in Slack
PreviousNext
Powered by