GCP - Storage Service Account Access Issue

Question

I am trying to grant access to serviceAccount:service-${data.google_project.infrastructure.number}@gs-project-accounts.iam.gserviceaccount.com on roles/cloudkms.cryptoKeyEncrypterDecrypter and creating storage buckets using below code:

resource "google_project_iam_member" "grant-google-storage-service-encrypt-decrypt" {
  project    = var.gcp_project
  role       = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member     = "serviceAccount:service-1111111111@gs-project-accounts.iam.gserviceaccount.com"
  depends_on = [google_project_service.apis["cloudkms.googleapis.com"], google_storage_bucket.terraform-state]
}

resource "google_storage_bucket" "dev-terraform-state" {
  name     = var.dev_terraform_state
  project  = var.gcp_project
  location = var.gcp_region

  versioning {
    enabled = true
  }

  encryption {
    default_kms_key_name = google_kms_crypto_key.terraform-state-bucket.id
  }

  depends_on = [google_kms_crypto_key.terraform-state-bucket, google_project_service.apis, google_kms_key_ring.key-ring-terraform-state]
}

Error:

│ Error: googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden
│ 
│   with google_storage_bucket.dev-terraform-state,
│   on main.tf line 170, in resource "google_storage_bucket" "dev-terraform-state":
│  170: resource "google_storage_bucket" "dev-terraform-state" {

Is the KMS key in the same location as the bucket? You cannot use a global location key. https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys#prereqs — John Hanley, Aug 27 '22 at 20:46

score 1 · Answer 1 · answered Aug 28 '22 at 16:13

1

Sorry, It was due to local cache i think. after removing terraform folder locally then re-run works fine.

answered Aug 28 '22 at 16:13

Raju

65
6

GCP - Storage Service Account Access Issue

1 Answers1