Permission denied on key when encrypting secrets.yml file with helm and gcp_kms

Question

I have a keyring and key in Google Cloud KMS. I want to use the key to encrypt a secrets.yml file using helm secrets enc

I am the GCP project owner, and I have also given myself the specific encrypt/decrypt IAM role, which I don't think is needed, given I am the owner, but worth a try a thought.

I'm getting the following permission denied error when trying to run helm secrets enc secrets.yml:

Could not generate data key: [failed to encrypt new data key with master key "projects/myproject-266813/locations/global/keyRings/myKeyRing/cryptoKeys/myKey": Failed to call GCP KMS encryption service: googleapi: Error 403: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/myproject-266813/locations/global/keyRings/myKeyRing/cryptoKeys/myKey' (or it may not exist)., forbidden]

My .sops.yml file:

creation_rules:
- gcp_kms: projects/mirkwood-266813/locations/global/keyRings/lotr/cryptoKeys/cdlkey

I am authenticated with the correct gcp account, so what am I missing?

score 4 · Answer 1 · answered Feb 05 '20 at 11:02

4

The answer to this turned out to be really simple:

gcloud auth application-default login

or

use a service account

gcloud auth login

on it's own did not work

answered Feb 05 '20 at 11:02

Molenpad

833
2
14
34

Permission denied on key when encrypting secrets.yml file with helm and gcp_kms

1 Answers1