Menu
This GCP article suggests using two separate projects: one for key management, another for encryption/decryption.
This seems like a setup that works with User roles, but not with Service roles as a Service role is bound to the project it belongs to. Am I missing something?
Is there actually a way to have one role (in, let's say, Project 1), that creates KMS keys, and then have a service role (in, let's say, Project 2) that can access said keys at runtime for decryption?
627
Even though KMS is a global service but keys are regional that means you can't send keys outside the region in which they are created.
Cloud KMS stores AES-265 encryption keys in a five level hierarchy. The top level, called GCP Project, manages Identity and Access Management roles for accounts associated with a specific cloud project, which can be linked to an organization or a department within it, for instance.
If you need more control over the keys used to encrypt data at rest within a Google Cloud project, several Google Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS.
It's possible! You can add an IAM policy with the principal(member) & resource in different projects.
To grant [email protected] decryption access to a particular key in project1, you can e.g.:
$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
--location ${location} ${KMS_KEY_RESOURCE_NAME} \
--member serviceAccount:[email protected] \
--role roles/cloudkms.cryptoKeyDecrypter
You can also do this by pasting [email protected] directly into the "Add members" textbox under "Permissions" for a KeyRing or Key selected under http://console.cloud.google.com/iam-admin/kms?project=project1
51
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
