You can use Cloud Key Management Service (Cloud KMS)
customer-managed encryption keys (CMEK) to protect
Eventarc. The keys are created and managed through Cloud Key Management Service.
This page shows you how to resolve issues that you might encounter when using
Cloud Key Management Service with Eventarc.
The following table describes different errors and how to resolve them.
Error message
Description
Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on
resource $KEY (or it may not exist).
Either the provided Cloud KMS key does not exist or the
permission is not properly configured.
Ensure that the Eventarc service agent
has been granted the cloudkms.cryptoKeyEncrypterDecrypter
role and has been added as a principal to the Cloud KMS key.
Key region $REGION must match the resource to be protected.
The provided KMS key region is different from the region of the channel.
Solution: Use a Cloud KMS key from the same region.
Note: For channels in multi-region eu, you should protect
it using a
Cloud KMS key in multi-region europe. For more
information,
see Cloud KMS multi-regional
and Eventarc multi-regional
locations.
Quota exceeded for limit.
Too many Cloud KMS requests and your quota limit has been reached.
Solution:
Limit the number of Cloud KMS calls.
Increase the quota limit.
For information about quotas, including viewing or requesting additional
quotas, see Cloud KMS quotas.
To resolve issues that you might encounter when using externally managed keys
through Cloud External Key Manager (Cloud EKM), see
Cloud EKM error reference.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-01-28 UTC."],[],[]]
