Problem
You observe permission errors during KMS Encryption and decryption operations, likely same or similar to:
Error: Error creating Disk: googleapi: Error 400: Cloud KMS error when using key projects/<project id>/locations/<region>/keyRings/<key ring>/<key>: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/<project id>/locations/<region>/keyRings/<key ring>/<key>' (or it may not exist)., kmsPermissionDenied
However, the service account you are using has the required Cloud KMS CryptoKey Encrypter/Decrypter role on the key ring in question.
Environment
- Google Cloud Project
- KMS to encrypt and decrypt data
Solution
Assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the Compute Engine Service Agent on the project that runs Cloud KMS. The Service Agent's service account has the following format:
service-<PROJECT_NUMBER>@compute-system.iam.gserviceaccount.com
More information found here.
Cause
The Compute Engine Service Agent is Google managed and has the following format service-<PROEJCT_NUMBER>@compute-system.iam.gserviceaccount.com. This account is used by Compute Engine to perform its service duties on your project in the background. Some requests are eventually performed by this service account, even if the original request was made by a different account. As an example, the actual task of encryption and decryption of KMS keys is done by this service account, therefore it requires the Cloud KMS CryptoKey Encrypter/Decrypter role to authorize properly.