This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Unable to destroy KMS key version with KMS Cloud Admin role using python API

Posted on 03-04-2024 07:15 AM
hdattada
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi We are trying to automated disabling and destroying unused key versions. We are running this through a cloud function. Below is a snippet of the code. We see a 403 permission denied for a service account that has a KMS cloud admin role. Any suggestions on what we might be missing here?

 

if key_ring.name == "projects/xxxxlocations/us/keyRings/us-sample-keyring":
request = kms_v1.ListCryptoKeysRequest(
parent=key_ring.name,
)
crypto_keys = client.list_crypto_keys(request)
for key in crypto_keys:
primary = key.primary
request = kms_v1.ListCryptoKeyVersionsRequest(
parent=key.name
)
crypto_versions = client.list_crypto_key_versions(request)
for version in crypto_versions:
if version.name == primary.name:
print(f"Key {version.name} is enabled")
else:
print(f"Key {version.name} is non primary. Disabling it")
key_version = {
"name": version.name,
"state": kms_v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED,
}

# Build the update mask.
update_mask = {"paths": ["state"]}

# Call the API.
disabled_version = client.update_crypto_key_version(
request={"crypto_key_version": key_version, "update_mask": update_mask}
)
print(f"Disabled key version: {disabled_version.name}")
destroyed_version = client.destroy_crypto_key_version(
request={"name": version.name}
)
print(f"Destroyed key version: {destroyed_version.name}")
 
 
Error:
google.api_core.exceptions.PermissionDenied: 403 Permission 'cloudkms.cryptoKeyVersions.destroy' denied on resource 'projects/xxxx/locations/us/keyRings/us-sample-keyring/cryptoKeys/us-sample-key/cryptoKeyVersions/1' (or it may not exist).
0 1 532
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
RonEtch
Staff
Reply posted on --/--/---- --:-- AM

Hi @hdattada 

Welcome to Google Cloud Community!

You can verify on this available guide on using python script to disable and destroy key versions. Since you are having an error 403 permission denied, you may also want to verify your permissions regarding Cloud KMS by following this guide.

I hope this information is helpful.

If you need further assistance, you can always file a ticket on our support team.

Top Labels in this Space