Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section II. NetBackup Snapshot Manager for Cloud maintenance
  4. Troubleshooting NetBackup Snapshot Manager for Cloud
  5. GCP restore with encryption key failed with an error message
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

GCP restore with encryption key failed with an error message

GCP restore with encryption key failed with the following error message:

Creating disk "disk1" failed. Error: Cloud KMS error when using key projects/cloudpoint-development/locations/global/keyRings/test-ring/cryptoKeys/test-key2: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/cloudpoint-development/locations/global/keyRings/test-ring/cryptoKeys/test-key2' (or it may not exist).

Workaround:

The Google Cloud Platform is configured with Cloud KMS CryptoKey Encrypter/Decrypter permission which is missing for service-<default-service-account>@compute-system.iam.gserviceaccount.com service account.

To resolve this issue, assign the following permission to the service account:

bash# gcloud kms keys add-iam-policy-binding test-key2 --keyring test-ring --location global --member serviceAccount:service-<default-service-account>@compute-system.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter
 
Updated IAM policy for key [test-key2].
bindings:
- members:
  - serviceAccount:service-<default-service-account>@compute-system.iam.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: BwX-yNgMdSE=
version: 1

Feedback

Was this page helpful?
Previous

Backup and restore jobs fail with timeout error

Next

Amazon Redshift clusters and databases not available after discovery

Feedback

Was this page helpful?