First of all, thank you so very much for SOPS! In my opinion it powers a very critical component of GitOps. I'm a Flux core maintainer so you can guess how much I love GitOps and consequently how much I also love SOPS :)

Now, on to the feature request :)

As a user I'd like the ability to use multi-tenant workload identity for decrypting SOPS-encrypted secrets in CNCF Flux through the Kustomization API using GCP KMS. How I'm planning to do it on the Flux side is detailed in this section of the RFC for Multi-Tenant Workload Identity (RFC link).

In order to enable this use case it is necessary to implement an interface for GCP KMS similar to the interfaces for AWS and Azure kms.CredentialsProvider and azkv.TokenCredential. The equivalent interface for GCP would be oauth2.TokenSource. There are a number of ways how one could create an object that implements this interface, so this would definitely be very helpful for users of the GCP SOPS SDK, and hence would enable more advanced methods of GCP KMS authentication to be used for SOPS.

I'm more than willing to contribute this feature, my plan is to open a PR next weekend, please consider reviewing it! 🙏 🙏 🙏

Edit: PR opened sooner