Issue with GCP CMEK

Google Cloud Serverless Applications
1

I am trying to implement gcp cmek with cross service account . Means , GKE will be present in one GCP project and we will get the key from another gcp project which i will use in my gke project to encrypt the disks/storage etc . Like Customer-managed key .

When i am trying to get the PVC provisioning getting below error . I have check the service account is already given access to role “Cloud KMS CryptoKey Encrypter/Decrypter” at customer account .

Any suggestions why i am seeing this error ?

Warning ProvisioningFailed 6s (x5 over 20s) pd.csi.storage.gke.io_gke-da3df78f254241feb438-303c-8ce8-vm_fb6f748a-2751-40ce-8e99-5b1524d6b64f failed to provision volume with StorageCla │

│ ss “csi-gce-pd-cmek”: rpc error: code = Unknown desc = CreateVolume failed to create single zonal disk pvc-b4c4fcd6-9d33-4998-bd8e-10c90f262c6d: failed to insert zonal disk: unknown Insert dis │

│ k error: googleapi: Error 400: Cloud KMS error when using key projects/chris-kms-project/locations/us-west1/keyRings/XXX/cryptoKeyVersion │

│ s/1: Permission ‘cloudkms.cryptoKeyVersions.useToEncrypt’ denied on resource ‘projects/chris-kms-project/locations/us-west1/keyRings/XXX-cmk-test-uswest1key’ │

│ (or it may not exist)., kmsPermissionDenied

2

Hi @uttamkrpanda ,

Welcome to Google Cloud Community!

Here are the following involve suggestions:

  • Try running kubectl get pvc, if you see that the PVC status is pending, check the (Kubernetes Engine - storage - events) or use kubectl describe pvc “pvcname, you might encounter an error related to “failed to provision volume with StorageClass”, to resolve this:
  1. Check if the cluster has Compute Engine persistent disk CSI Driver enabled.
  2. Check the spec.accessModes in the pvc yaml. If it is ReadWriteMany, replace it with ReadWriteOnce instead.
  • If you encounter Error: "Error creating Disk: googleapi: Error 400: Cloud KMS error when using key projects//locations//keyRings//: Permission ‘cloudkms.cryptoKeyVersions.useToEncrypt’ denied on resource ‘projects//locations//keyRings//’ (or it may not exist)., kmsPermissionDenied". Ensure that you assign the correct Service Account you may check this documentation Required Roles and Avoid Permission Errors for further reference.

In addition, you can refer to these Limitations in Cloud KMS keys for your guide in using Cloud KMS keys.

I hope the above information is helpful.