5

For some reason I can't seem to be able to update keys in the us-central1 region. My IAM have both the update and list roles and I use this code:

import google.cloud.kms as kms

self.client = kms.KeyManagementServiceClient()
name = 'client-1'
key_path = self.client.crypto_key_path(config.PROJECT, config.KMS_LOCATION, config.KMS_RING, name)

update_mask = {'paths': ['rotation_period', 'next_rotation_time']}
self.client.update_crypto_key({
        'name': key_path,
        'rotation_period': {'seconds': 0},
        'next_rotation_time': {'seconds': 0}
    }, update_mask)

It gives me the following error:

google.api_core.exceptions.NotFound: 404 The request concerns location 'us-central1' but was sent to location 'global'. Either Cloud KMS is not available in 'us-central1' or the request was misrouted.

Weirdly enough the list and get works correctly. Also I have seen a solution where they change the transport argument of the client but I can't seem to find the right address.

Thanks in advance !

aga
  • 3,790
  • 3
  • 11
  • 18
Charles Smith
  • 85
  • 4

1 Answers1

2

This is a bug, which we're tracking at https://github.com/googleapis/gapic-generator/issues/3066

In the meantime, the cause of the bug is that UpdateCryptoKey is unable to compute the region properly when the first argument is a dict. If it's a resources_pb2.CryptoKey, it works fine. As an example:

import google.cloud.kms as kms
from google.cloud.kms_v1.proto import resources_pb2

client = kms.KeyManagementServiceClient()

ck = resources_pb2.CryptoKey()
ck.name = 'projects/{proj}/locations/us-central1/keyRings/{kr}/cryptoKeys/{key}'
ck.next_rotation_time.GetCurrentTime()

update_mask = {'paths': ['next_rotation_time']}
client.update_crypto_key(ck, update_mask)

Hopefully this allows you to work around this issue while we get this fixed. Apologies for the inconvenience, and thanks for your patience!

bdhess
  • 628
  • 3
  • 6