remove undocumented requirement for gcpkms key_identifier_values to be 36 characters#7140
Open
daescha wants to merge 2 commits into
Conversation
daescha
requested review from
MarcosDY,
amartinezfayo,
evan2645,
rturner3 and
sorindumitru
as code owners
July 11, 2026 01:24
daescha
force-pushed
the
rm-hidden-requirement-for-gcpkms-key_identifier_values-to-be-36-chars
branch
from
July 11, 2026 01:25
e3be3b2 to
39fddd4
Compare
There was a problem hiding this comment.
Pull request overview
This PR removes the implicit/undocumented assumption that the GCP KMS key identifier (server ID) is a fixed-length UUID by updating CryptoKey name parsing to use the configured server ID prefix instead of a hard-coded offset. This aligns the gcpkms plugin behavior with key_identifier_value supporting non-UUID identifiers.
Changes:
- Update
getSPIREKeyIDFromCryptoKeyNameto derive the SPIRE key ID by cutting aspire-key-<serverID>-prefix instead of using a fixed UUID-length offset. - Update call sites to pass the configured
serverIDinto the parser. - Add unit tests covering UUID and non-UUID server ID formats.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pkg/server/plugin/keymanager/gcpkms/fetcher.go | Switch CryptoKey name parsing to strip a variable-length server ID prefix when deriving SPIRE key IDs. |
| pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go | Update parser call site and add table-driven tests for variable-length server IDs in CryptoKey names. |
…e 36 characters Signed-off-by: Daniel Schlatter <djschlatt@gmail.com>
daescha
force-pushed
the
rm-hidden-requirement-for-gcpkms-key_identifier_values-to-be-36-chars
branch
from
July 11, 2026 08:19
eb4667e to
ea90a5e
Compare
Contributor
Author
|
@sorindumitru assuming you are referring to that regex on the page ( |
…name rules Signed-off-by: Daniel Schlatter <djschlatt@gmail.com>
Contributor
Author
|
@sorindumitru i restricted key length to 40 chars to give room for the bits we are adding on to it and stay within gcps stated max of 63. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request check list
this was an undocumented requirement. no docs updates needed.
Affected functionality
gcpkms config
Description of change
gcpkms plugin now accepts arbitrary length values for key_identifier_value.
Which issue this PR fixes
when using gcpkms plugin config key_identifier_value, there was a requirement for the value to be 36 characters exactly. This is not the case for the azurekeyvault or awskms plugins, and was a pain to find out. heres the error message