Error applying IAM policy for KMS CryptoKey

Question

Error applying IAM policy for KMS CryptoKey

ayushmankoul opened this issue 3 years ago · 4 comments

TL;DR

I have enabled Cloud Key Management Service API. and assigned Cloud KMS CryptoKey Encrypter/Decrypter role to google user created keyrings in Cryptographic Keys tabs using Terraform. On apply IAM policy for the keys, it is throwing an error:

Expected behavior

It should enable IAM policy for the keys.

Observed behavior

Error: Error applying IAM policy for KMS CryptoKey "projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test": Error setting IAM policy for KMS CryptoKey "projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test": googleapi: Error 403: Permission 'cloudkms.cryptoKeys.setIamPolicy' denied on resource 'projects/sylvan-faculty-330506/locations/europe-west3/keyRings/module_test/cryptoKeys/test' (or it may not exist)., forbidden

Terraform Configuration

module "kms" {
  source = "../terraform-google-kms-master"
  #version = "~> 1.2"
  project_id     = var.project_id
  location       = var.location
  keyring        = var.keyring
  keys           = var.keys
  #set_owners_for = var.set_owners_for
  #owners         = var.owners
  set_encrypters_for = var.set_encrypters_for
  set_decrypters_for = var.set_decrypters_for
  encrypters = var.encrypters
  decrypters = var.decrypters
}

Terraform Version

Terraform v1.0.11

Additional information

No response

Answer 1 · 2021-12-09T17:21:21.000Z

Does the service account you're applying with have permission to manage the keys?

Answer 2 · 2021-12-09T17:41:09.000Z

Does the service account you're applying with have permission to manage the keys?
Yes, following permissions are enable for service account:
Editor
Owner
Security Admin

Answer 3 · 2022-07-31T08:15:35.000Z

@ayushmankoul Hi ..your issue resolved ..?if yes then please explain the steps..i am also facing the same issue..
I am trying to create kms key and want to attach it cloud storage . but while applying terraform, getting same error what u got. if possible can you please share complete kms module please

Answer 4 · 2022-09-02T08:21:01.000Z

This is to the future users who stumble upon this error...

if you face this error, assign EncrypterDecrypter role to a google cloud service on which you are trying to apply KMS encryption.

For example, in order to create a nodepool in GKE with KMS encrypted boot key, then assign EncrypterDecrypter role to service-<project_number>@compute-system.iam.gserviceaccount.com and service-<project_number>@container-engine-robot.iam.gserviceaccount.com service accounts. It should work thereafter.