failed to create KMS key ring berglas
stevenaldinger opened this issue · 7 comments
For context, I'm an owner of the project I'm working in.
I kept getting this error:
$-: berglas bootstrap --project $PROJECT_ID --bucket $BUCKET_ID
failed to create KMS key ring berglas: rpc error: code = PermissionDenied desc = Permission 'cloudkms.keyRings.create' denied on resource 'projects/my-project-id/locations/global/keyRings/berglas' (or it may not exist).
So I just went with the custom setup docs and made it myself:
$-: gcloud services enable cloudkms.googleapis.com storage-api.googleapis.com storage-component.googleapis.com
Operation "operations/acf.4801cb48-9bdf-40b7-8378-edd03dc7e987" finished successfully.
$-: export KEY_RING=berglas
$-: export KEY=berglas-key
$-: gcloud kms keyrings create ${KEY_RING} --project ${PROJECT_ID} --location global
$-: gcloud kms keys create ${KEY_RING} \
--project ${PROJECT_ID} \
--location global \
--keyring ${KEY_RING} \
--purpose encryption
I confirmed the key and key ring were created in the UI.
Then I tried to bootstrap the bucket again and got an identical message:
$-: berglas bootstrap --project $PROJECT_ID --bucket $BUCKET_ID
failed to create KMS key ring berglas: rpc error: code = PermissionDenied desc = Permission 'cloudkms.keyRings.create' denied on resource 'projects/my-project-id/locations/global/keyRings/berglas' (or it may not exist).
Then I went ahead and created the bucket myself too:
$-: gsutil mb -p ${PROJECT_ID} gs://${BUCKET_ID}
Creating gs://my-bucket/...
$-: gsutil defacl set private gs://${BUCKET_ID}
Setting default object ACL on gs://my-bucket/...
$-: gsutil acl set private gs://${BUCKET_ID}
Setting ACL on gs://my-bucket/...
Then I tried using berglas to create a secret:
$-: berglas create ${BUCKET_ID}/foo my-secret-data \
--key projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key
failed to create secret: failed to encrypt secret: rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/my-project-id/locations/global/keyRings/berglas/cryptoKeys/berglas-key' (or it may not exist).
Is there another step missing in custom set up? Or do you have any idea what's going on? I used berglas a year ago for another project and it was really easy.
How are you authenticating?
Just authenticating with gcloud auth login, no service account or anything.
I just tried locally and it's working fine, so my guess is there's a local environment issue. Can you try on another machine and also make sure there's no envvar set like GOOGLE_APPLICATION_CREDENTIALS? What does gcloud info show?
Just now getting to work on this again. I tried in docker originally with my host ~/.config mounted and on MacOS as well.
I also created a brand new project (just now/tonight), enabled billing, and immediately tried the steps. I got the same error as the original post and didn't try any manual steps after.
There's for sure no credentials env var set in either docker or on my host machine (confirmed).
This is gcloud info on the newly created project from a MacOS host machine with project name and email redacted:
gcloud info
Google Cloud SDK [307.0.0]
Platform: [Mac OS X, x86_64] uname_result(system='Darwin', node='Stevens-MacBook-Pro.local', release='18.6.0', version='Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64', machine='x86_64', processor='i386')
Locale: ('en_US', 'UTF-8')
Python Version: [3.8.5 (default, Jul 21 2020, 10:42:08) [Clang 11.0.0 (clang-1100.0.33.17)]]
Python Location: [/usr/local/bin/python3]
Site Packages: [Disabled]
Installation Root: [/Users/stevenaldinger/google-cloud-sdk]
Installed Components:
gsutil: [4.53]
core: [2020.08.21]
bq: [2.0.59]
kubectl: [1.15.11]
alpha: [2020.08.21]
beta: [2020.08.21]
System PATH: [/Users/stevenaldinger/google-cloud-sdk/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin:/Users/stevenaldinger/Library/Python/2.7/bin:/usr/local/bin/heroku/bin:/Users/stevenaldinger/go/bin:/Users/stevenaldinger/Development/github/*****/tf_local/services/istio-1.0.5/bin]
Python PATH: [/Users/stevenaldinger/google-cloud-sdk/lib/third_party:/Users/stevenaldinger/google-cloud-sdk/lib:/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python38.zip:/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8:/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/lib-dynload]
Cloud SDK on PATH: [True]
Kubectl on PATH: [/Users/stevenaldinger/google-cloud-sdk/bin/kubectl]
WARNING: There are other instances of the Google Cloud Platform tools on your system PATH.
/Applications/Docker.app/Contents/Resources/bin/kubectl
Installation Properties: [/Users/stevenaldinger/google-cloud-sdk/properties]
User Config Directory: [/Users/stevenaldinger/.config/gcloud]
Active Configuration Name: [*****]
Active Configuration Path: [/Users/stevenaldinger/.config/gcloud/configurations/config_*****]
Account: [*****@*****.***]
Project: [*****]
Current Properties:
[compute]
zone: [us-central1-a]
[core]
account: [*****@*****.***]
disable_usage_reporting: [True]
project: [*****]
Logs Directory: [/Users/stevenaldinger/.config/gcloud/logs]
Last Log File: [/Users/stevenaldinger/.config/gcloud/logs/2020.09.09/21.30.56.673655.log]
git: [git version 2.20.1 (Apple Git-117)]
ssh: [OpenSSH_7.9p1, LibreSSL 2.7.3]
And you're sure that the account listed there has permissions to create and manage KMS keys in your project?
I understand you're trying to obfuscate values, but it's difficult to know if you've subbed a value to be obfuscated or if that was the literal value you provided.
This issue is stale because it has been open for 14 days with no
activity. It will automatically close after 7 more days of inactivity.
This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.