Comments (3)
Hi @viktorvoltaire!
Hm, I think that'd be quite a chunk of work to implement, since sops supports quite a few decryption backends, and we'd then need to build support for them all? Or do you see some simpler way?
For what it's worth, the approach I've taken in Cloud Build specifically is to do impersonation via gcloud in the step image, and it works quite well and transparently (it also means authentication to GKE etc etc works pretty much without any adaptions to the relevant providers). We've wrapped this in our terraform image's ENTRYPOINT
:
project_id="$(gcloud config get-value project 2> /dev/null)"
export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token --impersonate-service-account=your-terraform-service-account-name@${project_id}.iam.gserviceaccount.com)"
exec terraform "$@"
So then the entire execution of Terraform is run as the "right" SA.
from terraform-provider-sops.
Hi @carlpett :)
Hm, I think that'd be quite a chunk of work to implement, since sops supports quite a few decryption backends, and we'd then need to build support for them all? Or do you see some simpler way?
Hmm, you are probably right, there is no simple way of doing it.
So then the entire execution of Terraform is run as the "right" SA.
Cloud build actually just released a feature where you can set the service account in the trigger settings, so no assuming is actually needed. I think we will use that to solve this problem.
Thanks for the swift response
from terraform-provider-sops.
Yep, you can do that too! We tend to have multiple steps that need to happen in our builds, and don't necessarily want the terraform account we use to be allowed to do all of them, but if you can split it up better than we have, then it might be a better alternative :)
from terraform-provider-sops.
Related Issues (20)
- Using deprecated for of AWS authentication HOT 2
- Decrypt Yaml List Value HOT 2
- Failed to create Azure authorizer in a specific agent pool in Azure Devops HOT 3
- The module is not decrypting the updated data
- Add support for .tfvars files HOT 2
- Using AWS KMS in Terraform Cloud HOT 1
- Failing decrypting from sops age key as environment variable. HOT 3
- "Error getting data key: 0 successful groups required, got 0" - GitHub Actions HOT 6
- Unable (difficult) to use with GCP's KMS on Terraform Cloud HOT 3
- Version updgrade to fit with Sops v3.7.2 HOT 2
- Docs: Specify that sops will consume credentials as per binary and not from provider HOT 3
- SOPS with Multi account AWS account HOT 4
- Decrypting binaries HOT 1
- merge github.com/lokkersp/terraform-provider-sops? HOT 3
- Invalid index error using terraform import HOT 3
- `null` is converted to `<nil>` string
- file name too long with source_file with data value HOT 1
- sops does not work with a transit-key created under a vault sub namespace HOT 1
- Return structured data rather than flattening HOT 4
- 0.7.2 macos/arm m1 issue HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-sops.