This GCP article suggests using two separate projects: one for key management, another for encryption/decryption.
This seems like a setup that works with User roles, but not with Service roles as a Service role is bound to the project it belongs to. Am I missing something?
Is there actually a way to have one role (in, let's say, Project 1), that creates KMS keys, and then have a service role (in, let's say, Project 2) that can access said keys at runtime for decryption?
It's possible! You can add an IAM policy with the principal(member) & resource in different projects.
To grant svcacct@project2.iam.gserviceaccount.com decryption access to a particular key in project1, you can e.g.:
$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
--location ${location} ${KMS_KEY_RESOURCE_NAME} \
--member serviceAccount:svcacct@project2.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyDecrypter
You can also do this by pasting svcacct@project2.iam.gserviceaccount.com directly into the "Add members" textbox under "Permissions" for a KeyRing or Key selected under http://console.cloud.google.com/iam-admin/kms?project=project1
