Issue with Cloud Run with CMEK (and EKM)

Hey!

I’m trying to set-up Customer Managed Encryption Key on Cloud Run, and while I had no issue with BigQuery, it is not working on Cloud Run.

I don’t get many information on the crash, it just times out after like 20 minutes, and it says:

• The service has encountered an error during container import. Please try again later. Resource readiness deadline exceeded.

Here’s what I tried:

• Disabling the remote key (on Thales) does make an error, so it is correctly contacting Thales when trying to spin it up
• With an “Hello” container, it stills the same issue
• The role is correctly set to the service account
• Disabling the CMEK correctly deploy the cloud run, enabling it after it was deployed goes back to the resource readiness deadline error
• I’ve tried setting up custom startup_probe, but it doesn’t change anything
• Checking the auditlog from both the KMS & CloudRun service, I just see a lot of Encrypt and then Decrypt from the service account, but all are granted.

I’m at a lost as to what I can try more to be honest, so open to anything!
Thanks.

Hi Isak,

Have you properly followed the steps on this documentation?
According to this documentation,

The server has encountered an internal error. Please try again later. Resource readiness deadline exceeded.

This issue might occur when the Cloud Run service agent does not exist, or when it does not have the Cloud Run Service Agent (roles/run.serviceAgent) role.

Hey, thanks for the reply !

This was done on a brand new project (and I just double checked), but the service agent is correctly there, and with the correct role.

Hi!

If the documentation is properly followed then we can’t help you here. It’s better to reach Google Cloud Support to inspect and to further investigate what’s happening in your project. You can reach Google Cloud Support here.

Regards,

Hi,

That requires a subscription though no ? As it’s not really a billing issue ?