Add extra replacement variables and GCP's role identifier

[bwalding]

Just a minor tidy-up.

Resource Name

Curiously - the GCP resource name for a key is a slightly different format to the key format in cosign:

GCP format: projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/cryptoKeyVersions/$KEY_VERSION
Cosign format: gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION

Note that the 2nd last path segment is "cryptoKeyVersions" not "versions" - this is based on copying the resource name out of the GCP console.

Roles

"Safer KMS Viewer Role" - I suspect this is wrong too (as I can't find anything called this) - but I don't know what the correct value is - as I wasn't able to get signing working without using KMS Admin role.

Once I get over that hurdle I'll be back...

[dlorenc]

Thanks!

[dekkagaijin]

Thanks :)

[cpanato]

thanks!
/lgtm

[maelvls]

I keep tripping over the fact that gcloud kms keys versions list shows "cryptoKeyVersions" but cosign wants "versions". 😥

❌ On one side, cosign wants "versions" (I omit gcpkms:// here)

projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/versions/$KEY_VERSION
#                                                                       ^^^^^^^^

✅ One the other side, gcloud kms keys versions list shows "cryptoKeyVersions":

projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/cryptoKeyVersions/$KEY_VERSION
#                                                                       ^^^^^^^^^^^^^^^^^