我正在尝试在我的本地circleci上配置作业(使用docker executor,图像:google/cloud-sdk:latest
),并且该作业需要对sops gcp kms加密文件进行解密。我已经为gcp kms解密服务设置了一个Google服务帐户(我可以运行脚本,通过circleci作业运行,通过服务帐户解密sops文件在本地成功运行,因此我知道该服务帐户设置有效) 。这是我的工作方式。
1- I base64对Google服务帐户json文件进行编码:base64 path/to/service_aacount_file.json
2-我运行circleci作业,在circleci上设置GCLOUD_SERVICE_KEY环境变量,并使用上一步中的base64编码内容:circleci local execute --env GCLOUD_SERVICE_KEY='<Base64EncodedServiceAccountJsonFileContent>' --job '<MyJob>'
3-这是我的circleci配置:
- run:
name: <MyJob>
command: |
apt-get install -y docker
apt-get install -y sudo
cd $(pwd)/path/to/jobcode
echo $GCLOUD_SERVICE_KEY | base64 -d > ${HOME}/<MyGoogleServiceAccountJsonFile.json>
export GOOGLE_APPLICATION_CREDENTIALS="${HOME}/<MyGoogleServiceAccountJsonFile.json>"
gcloud auth activate-service-account --key-file ${HOME}/<MyGoogleServiceAccountJsonFile.json>
echo $GOOGLE_APPLICATION_CREDENTIALS
ls -halt $GOOGLE_APPLICATION_CREDENTIALS
cat $GOOGLE_APPLICATION_CREDENTIALS
sudo ./<RunJob.sh>
4-执行作业时出现以下错误:
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
projects/<MyProject>/locations/<MyLocation>/keyRings/<MySopsKeyring>/cryptoKeys/<MyKey>: FAILED
- | Cannot create GCP KMS service: google: could not find
| default credentials. See
| https://developers.google.com/accounts/docs/application-default-credentials
| for more information.
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
5-另外,从控制台输出:
a-我可以看到该服务帐户已成功激活:Activated service account credentials for: [<MyServiceAccount>@<MyProject>.iam.gserviceaccount.com]
b- GOOGLE_APPLICATION_CREDENTIALS环境变量设置为服务帐户json的路径:/path/to/service_account.json
c-上面的文件已被正确的base64解码,并且包含有效的json:
{
"client_x509_cert_url": "<MyUrl>",
"auth_uri": "<MyAuthUri>",
"private_key": "<MyPrivateKey>",
"client_email": "<ClientEmail>",
"private_key_id": "<PrivateKeyId>",
"client_id": "<ClientId>",
"token_uri": "<TokenUri>",
"project_id": "<ProjectId>",
"type": "<ServiceAccount>",
"auth_provider_x509_cert_url": "<AuthProviderCertUrl>"
}
6-我尝试过的其他一些事情:
a-尝试在环境变量中设置google项目名称,但仍然是相同的错误。
b-尝试将GOOGLE_APPLICATION_CREDENTIALS设置为文件内容,而不是文件路径,但结果相同。
c-通过提供不带引号或单引号的文件路径来尝试设置GOOGLE_APPLICATION_CREDENTIALS,但仍然没有区别。
d-通过执行echo 'export GOOGLE_APPLICATION_CREDENTIALS=path/to/service_account.json' >> $BASH_ENV
尝试设置$ BASH_ENV,但存在相同的错误
请帮助。
另外三个可行的选择: