Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add extra replacement variables and GCP's role identifier #597

Merged
merged 1 commit into from
Aug 31, 2021
Merged

Add extra replacement variables and GCP's role identifier #597

merged 1 commit into from
Aug 31, 2021

Conversation

bwalding
Copy link
Contributor

@bwalding bwalding commented Aug 31, 2021

Just a minor tidy-up.

Resource Name

Curiously - the GCP resource name for a key is a slightly different format to the key format in cosign:

GCP format: projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/cryptoKeyVersions/$KEY_VERSION
Cosign format: gcpkms:https://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION

Note that the 2nd last path segment is "cryptoKeyVersions" not "versions" - this is based on copying the resource name out of the GCP console.

Roles

"Safer KMS Viewer Role" - I suspect this is wrong too (as I can't find anything called this) - but I don't know what the correct value is - as I wasn't able to get signing working without using KMS Admin role.

Once I get over that hurdle I'll be back...

Copy link
Member

@dlorenc dlorenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Copy link
Member

@dekkagaijin dekkagaijin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks :)

@cpanato cpanato added this to the v1.2.0 milestone Aug 31, 2021
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!
/lgtm

@dlorenc dlorenc merged commit c79ba73 into sigstore:main Aug 31, 2021
@maelvls
Copy link

maelvls commented Jun 9, 2022

I keep tripping over the fact that gcloud kms keys versions list shows "cryptoKeyVersions" but cosign wants "versions". 😥

❌ On one side, cosign wants "versions" (I omit gcpkms:https:// here)

projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION
#                                                                       ^^^^^^^^

✅ One the other side, gcloud kms keys versions list shows "cryptoKeyVersions":

projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/cryptoKeyVersions/$KEY_VERSION
#                                                                       ^^^^^^^^^^^^^^^^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants