Hello ,
I am looking for possible options to grant permision on the KMS key which is present in project A in organization TEL1 to another project B which is in different organization TEL2 .
how we can ensure project B should able to access the KMS key which is being in project A ?
I am looking for your assistance my community members.
Regards,
Sagar Vyas
Solved! Go to Solution.
Hello @sagarvyas ,
As per Phil Coakley, "
You can add an IAM policy with the principal(member) & resource in different projects.
To grant svcacct@project2.iam.gserviceaccount.com
decryption access to a particular key in project1
, you can e.g.:
$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
--location ${location} ${KMS_KEY_RESOURCE_NAME} \
--member serviceAccount:svcacct@project2.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyDecrypter
You can also do this by pasting svcacct@project2.iam.gserviceaccount.com
directly into the "Add members" textbox under "Permissions" for a KeyRing or Key selected under
"
You can check this documentation for reference in Organization Policy.
Hello @sagarvyas ,
As per Phil Coakley, "
You can add an IAM policy with the principal(member) & resource in different projects.
To grant svcacct@project2.iam.gserviceaccount.com
decryption access to a particular key in project1
, you can e.g.:
$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
--location ${location} ${KMS_KEY_RESOURCE_NAME} \
--member serviceAccount:svcacct@project2.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyDecrypter
You can also do this by pasting svcacct@project2.iam.gserviceaccount.com
directly into the "Add members" textbox under "Permissions" for a KeyRing or Key selected under
"
You can check this documentation for reference in Organization Policy.
Hello @dionv ,
Thank you for suggestion this is one of the workaround to achieve the granting KMS key access to other organization project2.
Thank you once again.
Regards,
Sagar Vyas