Add extra replacement variables and GCP's role identifier #597
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Just a minor tidy-up.
Resource Name
Curiously - the GCP resource name for a key is a slightly different format to the key format in cosign:
GCP format:
projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/cryptoKeyVersions/$KEY_VERSION
Cosign format:
gcpkms:https://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION
Note that the 2nd last path segment is "cryptoKeyVersions" not "versions" - this is based on copying the resource name out of the GCP console.
Roles
"Safer KMS Viewer Role" - I suspect this is wrong too (as I can't find anything called this) - but I don't know what the correct value is - as I wasn't able to get signing working without using KMS Admin role.
Once I get over that hurdle I'll be back...