0

I followed the Spring Cloud GCP documentation to import credentials with spring.cloud.gcp.credentials.encoded-key and I tried to call KeyManagementServiceClient.asymmetricSign to sign some data but there's an error that happens:

com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToSign' denied on resource 'projects/xxx/locations/xxx/keyRings/xxx/cryptoKeys/xxx' (or it may not exist).

I'm pretty sure the credentials and KMS key are OK. When I use GOOGLE_APPLICATION_CREDENTIALS with JSON path to import the credentials, everything is fine. But it fails when I change the implementation to use Spring Cloud GCP Core to import the credentials.

For some reason, I must have to use GCP Core to import the credentials.

Moritz
  • 1,954
  • 2
  • 18
  • 28
user2640329
  • 1
  • Based on this [SO question](https://stackoverflow.com/q/53150044/1701388) where the permission in question in the error message is `cloudkms.cryptoKeyVersions.useToEncrypt`, the answer is that they didn't have IAM permissions to use to encrypt feature. In your case, it's `cloudkms.cryptoKeyVersions.useToSign`, so my guess is that you don't have IAM permissions to use to sign. Take a look at the answers there. – Chanseok Oh Aug 06 '21 at 14:34
  • If you're still having issues, could you share a reproducer sample application? There could be many things that we could only figure out by seeing the code; usually these are project setup issues either with application.properties setup or IAM permissions in your GCP project. Please also feel free to file an issue in the Spring Cloud GCP github project: https://github.com/googlecloudplatform/spring-cloud-gcp – CowZow Aug 09 '21 at 17:16
  • Thanks you guys! I found the root cause because I didn't set the service account key appropriate, and it load the default service account, which didn't have the cloudkms.cryptoKeyVersions.useToSign permissions. Thanks again :) – user2640329 Aug 10 '21 at 07:10
  • No problem, glad you figured it out! – CowZow Aug 13 '21 at 16:50

0 Answers0