Initial compile fails when GOOGLE_APPLICATION_CREDENTIALS is not set

[owlzq1]

Hello, when compiling new target with secret:

kubeconfig: ?{gkms:kubeconfigs/c01||randomstr:32|base64}

I get the following error:

Authentication failed using Compute Engine authentication due to unavailable metadata server.
Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application

Even though I don't try to encrypt nor to reveal a secret.

Is this an intended behavior?

I expect it to just create a ref with random string, since the ref is absent.
I think it should compile regardless of "GOOGLE_APPLICATION_CREDENTIALS" presence.

[ademariag]

The behaviour is intended.

The reason why kapitan needs access to your google credentials (GOOGLE_APPLICATION_CREDENTIALS) is because the secret you are trying to create uses a gkms (Google Cloud Key Management Service) as backend.

The ?{gkms:kubeconfigs/c01.eks01.aws01||randomstr:32|base64} effectively means:

if the reference kubeconfigs/c01.eks01.aws01 does not exist, generate a random string of 32 characters, encode it in base64 and then encrypt it with google KMS

Full discussion here: https://kubernetes.slack.com/archives/C981W2HD3/p1616001522022400