Skip to content

Commit

Permalink
Fix decrypt_token() (#2009)
Browse files Browse the repository at this point in the history 
Tested:
https://buildkite.com/bazel/bazel-bazel-macos-ninja/builds/1951#0190e0a6-6d8b-4f39-a27b-b47b09d32f59

Progress towards
#2003
  • Loading branch information
@fweikert
fweikert authored Jul 23, 2024
1 parent 1e06791 commit 24ab086
Showing 1 changed file with 24 additions and 27 deletions.
51 changes: 24 additions & 27 deletions buildkite/bazelci.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -912,34 +912,31 @@ def wait_build_to_finish(self, build_number, interval_time=30, logger=None):

def decrypt_token(encrypted_token, kms_key, project="bazel-untrusted"):
try:
return (
subprocess.run(
[
gcloud_command(),
"kms",
"decrypt",
"--project",
project,
"--location",
"global",
"--keyring",
"buildkite",
"--key",
kms_key,
"--ciphertext-file",
"-",
"--plaintext-file",
"-",
],
input=base64.b64decode(encrypted_token),
env=os.environ,
check=True,
stdout=subprocess.PIPE, # We cannot use capture_output since some workers run Python <3.7
stderr=subprocess.PIPE, # We cannot use capture_output since some workers run Python <3.7
)
.decode("utf-8")
.strip()
result = subprocess.run(
[
gcloud_command(),
"kms",
"decrypt",
"--project",
project,
"--location",
"global",
"--keyring",
"buildkite",
"--key",
kms_key,
"--ciphertext-file",
"-",
"--plaintext-file",
"-",
],
input=base64.b64decode(encrypted_token),
env=os.environ,
check=True,
stdout=subprocess.PIPE, # We cannot use capture_output since some workers run Python <3.7
stderr=subprocess.PIPE, # We cannot use capture_output since some workers run Python <3.7
)
return result.stdout.decode("utf-8").strip()
except subprocess.CalledProcessError as ex:
cause = ex.stderr.decode("utf-8")
raise BuildkiteException(f"Failed to decrypt token:\n{cause}")
Expand Down

0 comments on commit 24ab086

Please sign in to comment.