Getting an error when trying to add encrypter decrypter role to the bucket service account. Below is the code.. Any idea what's missing?
storage_client = storage.Client(credentials=credentials)
sa_name = storage_client.get_service_account_email("project name")
print(sa_name)
bucket = storage_client.get_bucket("bucket name")
policy = bucket.get_iam_policy(requested_policy_version=3)
policy.version = 3
policy.bindings.append({
"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter",
"members": {"serviceAccount:{}".format(sa_name)}
})
bucket.set_iam_policy(policy)
**Error:** google.api_core.exceptions.BadRequest: 400 PUT https://storage.googleapis.com/storage/v1/b/bucketname/iam?prettyPrint=false: Role roles/cloudkms.cryptoKeyEncrypterDecrypter is not supported for this resource.
The error message XYZ is not supported for this resource means that you are trying to grant a permission (role) to a resource that does not use that permission or does not provide a resource, such as a KMS key, upon which that permission can be granted.
In your question you are trying to grant the permission roles/cloudkms.cryptoKeyEncrypterDecrypter to a Google Cloud Storage bucket. You have the logic reversed, you would modify a KMS resource policy, such as a key instead of a bucket resource policy. Refer to the following link for more details on binding to a KMS resource: