7

This GCP article suggests using two separate projects: one for key management, another for encryption/decryption.

This seems like a setup that works with User roles, but not with Service roles as a Service role is bound to the project it belongs to. Am I missing something?

Is there actually a way to have one role (in, let's say, Project 1), that creates KMS keys, and then have a service role (in, let's say, Project 2) that can access said keys at runtime for decryption?

Venantius
  • 2,471
  • 2
  • 28
  • 36

1 Answers1

14

It's possible! You can add an IAM policy with the principal(member) & resource in different projects.

To grant svcacct@project2.iam.gserviceaccount.com decryption access to a particular key in project1, you can e.g.:

$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
  --location ${location} ${KMS_KEY_RESOURCE_NAME} \
  --member serviceAccount:svcacct@project2.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyDecrypter

You can also do this by pasting svcacct@project2.iam.gserviceaccount.com directly into the "Add members" textbox under "Permissions" for a KeyRing or Key selected under http://console.cloud.google.com/iam-admin/kms?project=project1

Phil Coakley
  • 156
  • 1
  • 2
  • Ah, this is absolutely great. Thank you! – Venantius Mar 11 '18 at 10:23
  • When I try to paste my service account into the add members textbox, I get the following error: "Email addresses and domains must be associated with an active Google Account or Google Apps account.". This is for an automatically generated App Engine service account - does that make a difference? – Venantius Mar 11 '18 at 11:51
  • It looks like my issue here was because the service account came from a standalone App Engine project that was later migrated into an organization - your instructions worked fine when I set up a new App Engine project under the organization and tried with that project's service account. – Venantius Mar 11 '18 at 12:09