Permission 'cloudkms.cryptoKeys.get' denied on init setup
voxmaster opened this issue · 3 comments
voxmaster commented
TL;DR
Not enough permission to read from KMS
Expected behavior
No response
Observed behavior
The following error in VM logs of fresh setup
Error parsing Seal configuration: error checking key existence: rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeys.get' denied on resource 'projects/$PROJECT_ID/locations/us-central1/keyRings/vault/cryptoKeys/vault-init' (or it may not exist).
Terraform Configuration
module "vault" {
source = "terraform-google-modules/vault/google"
version = "7.0.0"
project_id = var.project_id
region = var.region
network = "main"
subnet = "main-01"
network_subnet_cidr_range = "35.235.240.0/20"
allow_public_egress = false
manage_tls = true
tls_cn = "some.domain.com"
storage_bucket_force_destroy = true
vault_version = "1.13.2"
vault_machine_type = "e2-small"
vault_max_num_servers = 1
}Terraform Version
Terraform v1.4.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.63.1
+ provider registry.terraform.io/hashicorp/google-beta v4.63.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/tls v4.0.4Additional information
Was able to fix this using this configuration
## Fix for "7.0.0" version of module with 1.13.2 Vault version
resource "google_kms_crypto_key_iam_member" "ck-iam" {
crypto_key_id = "${var.region}/vault/vault-init"
role = "roles/cloudkms.viewer"
member = "serviceAccount:${module.vault.service_account_email}"
}g-awmalik commented
Thanks @voxmaster. Do you mind sending a PR for this? Happy to review that for you.
voxmaster commented
@g-awmalik PTAL: #185
github-actions commented
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days