I've followed this tutorial: https://cloud.google.com/kms/docs/store-secrets
My next step was to have my apps read my secrets file from the storage bucket and decrypt safely at runtime. These apps run within various projects (staging, dev, production etc).
I've read the service account documentation over and over but can't quite understand the correct way forward.
What I found that worked was to simply add service accounts to MY_KMS_PROJECT and MY_STORAGE_PROJECT from the tutorial. I set them up to have access to read storage buckets and to decrypt KMS keys. Just by creating those service accounts, suddenly apps in other projects could read and decrypt. Is that how it's supposed to work?
I thought that I would have had to create a service account for each project that I want to have accessing the KMS projects from the tutorial? Or use IAM somehow to grant access? For example, how would I grant access to some apps within some projects and not others?
I'm attempting to now give access to apps when they are running in my local dev environment, which usually requires downloading a service account and pointing GOOGLE_APPLICATION_CREDENTIALS to the file. But it seems strange to me to download the service accounts from the MY_KMS_PROJECT or MY_STORAGE_PROJECT, especially since I already have a service account for accessing firebase. Are service accounts somehow global to all projects? Can they be combined? GOOGLE_APPLICATION_CREDENTIALS seems only good for pointing at a single service account.
Note: most of my apps are running on google app engine standard or flexible.
Here is the code from the apps within my projects that "just work" as described above:
client, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope)
if err != nil {
log.Fatal(err)
}
// Create the KMS client.
kmsService, err := cloudkms.New(client)
if err != nil {
log.Fatal(err)
}
....
And for accessing the bucket:
// Create the storage clientstorage
Client, err := storage.NewClient(ctx)
if err != nil {
log.Fatal(err)
}
....