Merge pull request #1973 from putsuka/feature/gcp-kms-client-type

hiddeco · web-flow · commit 5ba30dc11d7c · 2025-11-07T14:04:23.000+01:00
diff --git a/README.rst b/README.rst
@@ -309,6 +309,14 @@ Or if you are logged in you can authorize by generating an access token:
 
     $ export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"
 
+By default, SOPS uses the gRPC client to communicate with GCP KMS. You can optionally
+switch to the REST client by setting the ``SOPS_GCP_KMS_CLIENT_TYPE`` environment variable:
+
+.. code:: sh
+
+    $ export SOPS_GCP_KMS_CLIENT_TYPE=rest  # Use REST client
+    $ export SOPS_GCP_KMS_CLIENT_TYPE=grpc  # Use gRPC client (default)
+
 Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the
 cloud console the get the ResourceID or you can create one using the gcloud
 sdk:
diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go
@@ -27,6 +27,9 @@ const (
 	// SopsGoogleCredentialsOAuthTokenEnv is the environment variable used for the
 	// GCP OAuth 2.0 Token.
 	SopsGoogleCredentialsOAuthTokenEnv = "GOOGLE_OAUTH_ACCESS_TOKEN"
+	// SopsGCPKMSClientTypeEnv is the environment variable used to specify the
+	// GCP KMS client type. Valid values are "grpc" (default) and "rest".
+	SopsGCPKMSClientTypeEnv = "SOPS_GCP_KMS_CLIENT_TYPE"
 	// KeyTypeIdentifier is the string used to identify a GCP KMS MasterKey.
 	KeyTypeIdentifier = "gcp_kms"
 )
@@ -68,6 +71,10 @@ type MasterKey struct {
 	grpcConn *grpc.ClientConn
 	// grpcDialOpts are the gRPC dial options used to create the gRPC connection.
 	grpcDialOpts []grpc.DialOption
+	// useRESTClient indicates whether to use the REST client for GCP KMS.
+	useRESTClient bool
+	// clientOpts are the client options used to create the GCP KMS client.
+	clientOpts []option.ClientOption
 }
 
 // NewMasterKeyFromResourceID creates a new MasterKey with the provided resource
@@ -126,6 +133,22 @@ func (d DialOptions) ApplyToMasterKey(key *MasterKey) {
 	key.grpcDialOpts = d
 }
 
+// UseRESTClient configures the MasterKey to use the REST client for GCP KMS.
+type UseRESTClient struct{}
+
+// ApplyToMasterKey configures the MasterKey to use the REST client for GCP KMS.
+func (UseRESTClient) ApplyToMasterKey(key *MasterKey) {
+	key.useRESTClient = true
+}
+
+// ClientOptions are the client options used to create the GCP KMS client.
+type ClientOptions []option.ClientOption
+
+// ApplyToMasterKey configures the ClientOptions on the provided key.
+func (c ClientOptions) ApplyToMasterKey(key *MasterKey) {
+	key.clientOpts = c
+}
+
 // Encrypt takes a SOPS data key, encrypts it with GCP KMS, and stores the
 // result in the EncryptedKey field.
 //
@@ -294,7 +317,19 @@ func (key *MasterKey) newKMSClient(ctx context.Context) (*kms.KeyManagementClien
 		}
 	}
 
-	client, err := kms.NewKeyManagementClient(ctx, opts...)
+	// Add extra options.
+	opts = append(opts, key.clientOpts...)
+
+	// Select client type based on inputs.
+	clientType := strings.ToLower(os.Getenv(SopsGCPKMSClientTypeEnv))
+	var client *kms.KeyManagementClient
+	var err error
+	switch {
+	case clientType == "rest", key.useRESTClient:
+		client, err = kms.NewKeyManagementRESTClient(ctx, opts...)
+	default:
+		client, err = kms.NewKeyManagementClient(ctx, opts...)
+	}
 	if err != nil {
 		return nil, err
 	}
