This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

CMEK Encryption Key in Google Cloud Storage

Posted on 07-15-2024 04:22 AM
irivai
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi there folks, i have googled for a while, and can't seem to find an answer.

So my question is: Can i use a user-managed service account, in purpose of using CMEK encryption for GCS? 

I coded using Go, even I hard-coded the credentials by exporting GOOGLE_APPLICATION_CREDENTIALS explicitly, still throws this error:

Failed to create object reader: googleapi: got HTTP response code 403 with body: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.</Message></Error>

^ this is deliberate, just want to verify what SA is being used, so I granted the GCS service-agent minimum role

Seems like it won't read the custom SA, always pinpointing to the role of the service agent inside the GCS.

the closest thread I could find is this that matched my use case : https://stackoverflow.com/questions/56320241/permission-denied-on-cloud-kms-key-when-using-cloud-sto... , but I guess no answer to that.

I was wondering, can this Cloud KMS Encrypt/Decrypt usage can be done using a custom Service Account (user created SA) or not?

Thanks.

0 2 1,281
Topic Labels
0 Likes
2 REPLIES 2
Top Labels in this Space
Top Solution Authors
View all