This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Enable KMS key level access to another project in different organization account

Posted on 09-03-2023 10:49 PM
sagarvyas
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello ,

I am looking for possible options to grant permision on the KMS key which is present in project A in organization TEL1 to another project B which is in different organization TEL2 .

how we can ensure project B should able to access the KMS key which is being in project A ?

I am looking for your assistance my community members.

Regards,

Sagar Vyas

Solved Solved
1 2 445
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dionv
Staff
Reply posted on --/--/---- --:-- AM

Hello @sagarvyas ,

As per Phil Coakley, "

You can add an IAM policy with the principal(member) & resource in different projects.

To grant svcacct@project2.iam.gserviceaccount.com decryption access to a particular key in project1, you can e.g.:

$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
  --location ${location} ${KMS_KEY_RESOURCE_NAME} \
  --member serviceAccount:svcacct@project2.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyDecrypter

You can also do this by pasting svcacct@project2.iam.gserviceaccount.com directly into the "Add members" textbox under "Permissions" for a KeyRing or Key selected under

"

You can check this documentation for reference in Organization Policy.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dionv
Staff
Reply posted on --/--/---- --:-- AM

Hello @sagarvyas ,

As per Phil Coakley, "

You can add an IAM policy with the principal(member) & resource in different projects.

To grant svcacct@project2.iam.gserviceaccount.com decryption access to a particular key in project1, you can e.g.:

$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
  --location ${location} ${KMS_KEY_RESOURCE_NAME} \
  --member serviceAccount:svcacct@project2.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyDecrypter

You can also do this by pasting svcacct@project2.iam.gserviceaccount.com directly into the "Add members" textbox under "Permissions" for a KeyRing or Key selected under

"

You can check this documentation for reference in Organization Policy.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sagarvyas
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello @dionv ,

Thank you for suggestion this is one of the workaround to achieve the granting KMS key access to other organization project2.

Thank you once again.

Regards,

Sagar Vyas

 

 

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all