Cannot use Sops with GCP KMS under a google service account identity with cross-project KMS keys

[rsalmond]

The root cause of this issue is the same as #1142 but the way it manifests is different, and the workaround available for #1142 is not possible in this scenario. This issue is currently preventing our CD tooling from decrypting secrets.

The setup is this:

• I have a KMS key in project foo where the KMS API is enabled.
• I have a workload in project bar where the KMS API is disabled.
• My workload runs under a service account bar-account which has been granted roles/cloudkms.cryptoKeyDecrypter on the key that lives in foo.
• Despite having all the permissions required to perform decryption, sops decrypt fails because the KMS API is not enabled in project bar.

$ sops decrypt secrets.stage.env
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  projects/bar/locations/global/keyRings/sops-stage/cryptoKeys/sops-stage: FAILED
    - | failed to decrypt sops data key with GCP KMS key: rpc error:
      | code = PermissionDenied desc = Cloud Key Management Service
      | (KMS) API has not been used in project 756669343665 before
      | or it is disabled. Enable it by visiting
      | https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=756669343665

When I run a sops binary built with the patch in #1697 the call succeeds.

/sops-linux-amd64 decrypt secrets.stage.env
password=supersecret

If there's anything else I can provide to help get this patch merged please let me know.