Getting error while generating crypto keys using GCloud KMS to access private repo as dependency

4
votes

I'm trying to add encrypted ssh keys to google KMS using this documentation for accessing private repository as a dependency on Google App Engine (Node.JS project).

I have successfully generated Cloud KMS KeyRing and CryptoKey but I'm facing an error while encrypting the key.

(gcloud.kms.encrypt) PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied for resource 'projects/test/locations/global/keyRings/my-keyring/cryptoKeys/key'.

Need some help to setup this so can I can use this ssh key on GAE.

2
javascriptnode.jsgoogle-app-enginegoogle-cloud-platformgcloud
Please do not show your problem using screenshots. This prevents others from searching on a similar issue and prevents them from finding your question.John Hanley
@JohnHanley Apologies, I have added the line in which I'm facing the issue.Shubham Singh
My answer explains what is wrong and how to correct it.John Hanley

2 Answers

4
votes

You do not have IAM permissions to use to encrypt feature.

Advice: do not practice on your SSH real keys. Make a copy of them into a different directory. Then learn how to use IAM and KMS on the copies.

Need some help to setup this so can I can use this ssh key on GAE.

I not sure what you are trying accomplish with KMS encrypting SSH keys for use on GAE.

To allow a user or service account to use a key to encrypt or decrypt using a particular key, they must have the cloudkms.cryptoKeyEncrypterDecrypter, cloudkms.cryptoKeyEncrypter, cloudkms.cryptoKeyDecrypter, or owner role, as per the chart in Permissions and Roles.

Example command to grant a service account permissions:

gcloud kms keys add-iam-policy-binding \
  golden-egg --location global --keyring golden-goose \
  --member serviceAccount:[email protected] \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter

Similar command to grant a user permissions:

gcloud kms keys add-iam-policy-binding \
  golden-egg --location global --keyring golden-goose \
  --member user:[email protected] \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter

Granting permissions to use keys

Permissions and Roles

1
votes

Enable settings on CloudBuild

Cloud Build -> settings > Cloud KMS - Cloud KMS CryptoKey Decrypter -> enabled

Its worked to me