Error applying IAM policy for KMS CryptoKey
ayushmankoul opened this issue · 4 comments
TL;DR
I have enabled Cloud Key Management Service API. and assigned Cloud KMS CryptoKey Encrypter/Decrypter role to google user created keyrings in Cryptographic Keys tabs using Terraform. On apply IAM policy for the keys, it is throwing an error:
Expected behavior
It should enable IAM policy for the keys.
Observed behavior
Error: Error applying IAM policy for KMS CryptoKey "projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test": Error setting IAM policy for KMS CryptoKey "projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test": googleapi: Error 403: Permission 'cloudkms.cryptoKeys.setIamPolicy' denied on resource 'projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test' (or it may not exist)., forbidden
Terraform Configuration
module "kms" {
source = "../terraform-google-kms-master"
#version = "~> 1.2"
project_id = var.project_id
location = var.location
keyring = var.keyring
keys = var.keys
#set_owners_for = var.set_owners_for
#owners = var.owners
set_encrypters_for = var.set_encrypters_for
set_decrypters_for = var.set_decrypters_for
encrypters = var.encrypters
decrypters = var.decrypters
}
Terraform Version
Terraform v1.0.11
Additional information
No response
Does the service account you're applying with have permission to manage the keys?
Does the service account you're applying with have permission to manage the keys?
Yes, following permissions are enable for service account:
Editor
Owner
Security Admin
@ayushmankoul Hi ..your issue resolved ..?if yes then please explain the steps..i am also facing the same issue..
I am trying to create kms key and want to attach it cloud storage . but while applying terraform, getting same error what u got. if possible can you please share complete kms module please
This is to the future users who stumble upon this error...
if you face this error, assign EncrypterDecrypter
role to a google cloud service on which you are trying to apply KMS encryption.
For example, in order to create a nodepool in GKE with KMS encrypted boot key, then assign EncrypterDecrypter role to service-<project_number>@compute-system.iam.gserviceaccount.com
and service-<project_number>@container-engine-robot.iam.gserviceaccount.com
service accounts. It should work thereafter.