Fairly new to GCP as have spent my developer years specialising in AWS. Have recently been tasked with the job of migrating our terraform resources from AWS to GCP. A difficulty I am having is using the Cloud KMS Key I have created to encrypt a Cloud Storage Bucket.
I have a Key attached to a key ring and the terraform for the bucket all deployed (currently exists without encryption as I deployed it without this attribute)
module "bronze" {
source = "./modules/kms"
location = local.locations.london
bucket_name = "bronze"
uniform_bucket_level_access = true
public_access_prevention = "enforced"
encryption = {
default_kms_key_name = "projects/${local.project_id}/locations/europe-west2/keyRings/cloud-storage-bucket-keyring/cryptoKeys/cloud-storage-bucket-key"
}
}
The code for the terraform module isn't relevant (I don't think) however let me know if it would help. It's just simply the encryption block with default_kms_key_name attribute from here
The error is:
Error: googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden
│
with module.bronze.google_storage_bucket.this,
on modules/CloudStorage/main.tf line 1, in resource "google_storage_bucket" "this":
1: resource "google_storage_bucket" "this"
│
No matter if I change the name of the key to something random, and run the terraform apply I get the exact same error. So it isn't linked to the key specifically but must be linked to KMS in general.
My guess is something to do with missing permissions but we have a lot of permissions set for it, without having Admin set. I am not sure of the specific permission required to allow our resources to use the key but I am guessing that there is something still missing..
TLDR: Generated CloudKMS key through terraform, no errors, cannot assign it to my Cloud Storage Bucket due to forbidden error. Am I missing a certain permission & if so does anyone know what it is? I can't find it anywhere! Thanks
Tried adding cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions but still getting the same error
The problem is identified by this part of the error message:
Cloud Storage service account has been authorized to use this key
Google Cloud Storage has a service agent that you must grant permission to use the KMS key. The service agent has its own service account. You can get the service account identity using
gsutil kms serviceaccount $PROJECT_ID
One method to add the required permissions to the service agent is to use the command
gsutil kms authorize -p $PROJECT_ID \
-k projects/$PROJECT_ID/locations/europe-west2/keyRings/cloud-storage-bucket-keyring/cryptoKeys/cloud-storage-bucket-key
See this link for more information on those commands.