fix(gcpkms): Set quota project to API project

Like described in the linked issue, if the GCP KMS key is stored in
project foo, but the service account is created in project bar, sops
complains that KMS API is not enabled in project bar.

The quota project used by default is the one encoded in the service
account key. With this commit, the behavior changes, so the project
where the KMS key and API reside, is read from the key ID and set
via the quota project option.

Fixes getsops#1142

Author: onjen

gcpkms/keysource.go

@@ -208,13 +208,14 @@ func (key *MasterKey) TypeToIdentifier() string {
 // It returns an error if the ResourceID is invalid, or if the setup of the
 // client fails.
 func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
-	re := regexp.MustCompile(`^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`)
+	re := regexp.MustCompile(`^projects/(?P<project>[^/]+)/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`)
 	matches := re.FindStringSubmatch(key.ResourceID)
 	if matches == nil {
 		return nil, fmt.Errorf("no valid resource ID found in %q", key.ResourceID)
 	}
 
 	var opts []option.ClientOption
+	opts = append(opts, option.WithQuotaProject(matches[1]))
 	switch {
 	case key.credentialJSON != nil:
 		opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))