GCP KMS service account grant issue
EchoL0t opened this issue · 0 comments
EchoL0t commented
Hello! Trying to follow this guide faced with the following issue
Terraform will perform the following actions:
# google_kms_key_ring_iam_binding.vault_iam_kms_binding will be created
+ resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" {
+ etag = (known after apply)
+ id = (known after apply)
+ key_ring_id = "idyllic-mantis-299418/global/test1"
+ members = [
+ "serviceAccount:vault-gcpkms@idyllic-mantis-299418.iam.gserviceaccount.com",
]
+ role = "roles/owner"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_kms_key_ring_iam_binding.vault_iam_kms_binding: Creating...
Error: Error applying IAM policy for KMS KeyRing "projects/idyllic-mantis-299418/locations/global/keyRings/test1": Error setting IAM policy for KMS KeyRing "projects/idyllic-mantis-299418/locations/global/keyRings/test1": googleapi: Error 403: Permission 'cloudkms.keyRings.setIamPolicy' denied on resource 'projects/idyllic-mantis-299418/locations/global/keyRings/test1' (or it may not exist)., forbidden
on main.tf line 93, in resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding":
93: resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" {
Keyring and key are exist, so granted owner role to service account manually. But I can't figure out why terraform can't deal with it, do you have any ideas?