GCP restore with encryption key failed with an error message

GCP restore with encryption key failed with the following error message:

Creating disk "disk1" failed. Error: Cloud KMS error when using key projects/cloudpoint-development/locations/global/keyRings/test-ring/cryptoKeys/test-key2: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/cloudpoint-development/locations/global/keyRings/test-ring/cryptoKeys/test-key2' (or it may not exist).

Workaround:

The Google Cloud Platform is configured with Cloud KMS CryptoKey Encrypter/Decrypter permission which is missing for service-<default-service-account>@compute-system.iam.gserviceaccount.com service account.

To resolve this issue, assign the following permission to the service account:

bash# gcloud kms keys add-iam-policy-binding test-key2 --keyring test-ring --location global --member serviceAccount:service-<default-service-account>@compute-system.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter
 
Updated IAM policy for key [test-key2].
bindings:
- members:
  - serviceAccount:service-<default-service-account>@compute-system.iam.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: BwX-yNgMdSE=
version: 1

GCP restore with encryption key failed with an error message

Feedback

Feedback