diff --git a/buildkite/bazelci.py b/buildkite/bazelci.py index dd2349a012..5e3e913316 100755 --- a/buildkite/bazelci.py +++ b/buildkite/bazelci.py @@ -912,34 +912,31 @@ def wait_build_to_finish(self, build_number, interval_time=30, logger=None): def decrypt_token(encrypted_token, kms_key, project="bazel-untrusted"): try: - return ( - subprocess.run( - [ - gcloud_command(), - "kms", - "decrypt", - "--project", - project, - "--location", - "global", - "--keyring", - "buildkite", - "--key", - kms_key, - "--ciphertext-file", - "-", - "--plaintext-file", - "-", - ], - input=base64.b64decode(encrypted_token), - env=os.environ, - check=True, - stdout=subprocess.PIPE, # We cannot use capture_output since some workers run Python <3.7 - stderr=subprocess.PIPE, # We cannot use capture_output since some workers run Python <3.7 - ) - .decode("utf-8") - .strip() + result = subprocess.run( + [ + gcloud_command(), + "kms", + "decrypt", + "--project", + project, + "--location", + "global", + "--keyring", + "buildkite", + "--key", + kms_key, + "--ciphertext-file", + "-", + "--plaintext-file", + "-", + ], + input=base64.b64decode(encrypted_token), + env=os.environ, + check=True, + stdout=subprocess.PIPE, # We cannot use capture_output since some workers run Python <3.7 + stderr=subprocess.PIPE, # We cannot use capture_output since some workers run Python <3.7 ) + return result.stdout.decode("utf-8").strip() except subprocess.CalledProcessError as ex: cause = ex.stderr.decode("utf-8") raise BuildkiteException(f"Failed to decrypt token:\n{cause}")