This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

CMEK Encryption Key in Google Cloud Storage

Posted on 07-15-2024 04:22 AM
irivai
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi there folks, i have googled for a while, and can't seem to find an answer.

So my question is: Can i use a user-managed service account, in purpose of using CMEK encryption for GCS? 

I coded using Go, even I hard-coded the credentials by exporting GOOGLE_APPLICATION_CREDENTIALS explicitly, still throws this error:

Failed to create object reader: googleapi: got HTTP response code 403 with body: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.</Message></Error>

^ this is deliberate, just want to verify what SA is being used, so I granted the GCS service-agent minimum role

Seems like it won't read the custom SA, always pinpointing to the role of the service agent inside the GCS.

the closest thread I could find is this that matched my use case : https://stackoverflow.com/questions/56320241/permission-denied-on-cloud-kms-key-when-using-cloud-sto... , but I guess no answer to that.

I was wondering, can this Cloud KMS Encrypt/Decrypt usage can be done using a custom Service Account (user created SA) or not?

Thanks.

0 2 1,266
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Manish_B
Staff
Reply posted on --/--/---- --:-- AM

Hello @irivai,

Thank You for contacting Google Cloud Community.

When using Customer-Managed Encryption Keys (CMEK) with Google Cloud Storage (GCS), the Cloud Storage service agent needs to be authorized to use the Cloud KMS key, even if you are using a user-managed service account. This is a requirement because the GCS service agent is responsible for handling the encryption and decryption operations on the storage objects.

Common Pitfalls in the Issue Occurred Could be: 
  1. Using Default Service Account: Ensure that your application is not unintentionally using any other service account that does not have the necessary permissions.
  2. Incorrect IAM Roles: Double-check the IAM roles and bindings to make sure that the necessary permissions are correctly assigned.

Please be aware that the service agent is a special type of service account that acts on behalf of a Google Cloud service. Cloud Storage uses a service agent for the following features:

For more information, please refer to this document.

I hope the above provided information is helpful. 

Thanks & Regards, 

Manish Bavireddy. 

 

Posted on --/--/---- --:-- AM
irivai
Bronze 1
Bronze 1
In response to Manish_B
Reply posted on --/--/---- --:-- AM

Hi Manish,

yes but, even though I have allowed the correct IAM role for the service account to be able to access the KMS key, the error thrown is not even mentioning the SA itself, it just kept mentioning the service agent. So i guess it's not possible in SA level?

Top Labels in this Space
Top Solution Authors
View all