For some reason I can't seem to be able to update keys in the us-central1
region. My IAM have both the update and list roles and I use this code:
import google.cloud.kms as kms
self.client = kms.KeyManagementServiceClient()
name = 'client-1'
key_path = self.client.crypto_key_path(config.PROJECT, config.KMS_LOCATION, config.KMS_RING, name)
update_mask = {'paths': ['rotation_period', 'next_rotation_time']}
self.client.update_crypto_key({
'name': key_path,
'rotation_period': {'seconds': 0},
'next_rotation_time': {'seconds': 0}
}, update_mask)
It gives me the following error:
google.api_core.exceptions.NotFound: 404 The request concerns location 'us-central1' but was sent to location 'global'. Either Cloud KMS is not available in 'us-central1' or the request was misrouted.
Weirdly enough the list and get works correctly. Also I have seen a solution where they change the transport argument of the client but I can't seem to find the right address.
Thanks in advance !
This is a bug, which we're tracking at https://github.com/googleapis/gapic-generator/issues/3066
In the meantime, the cause of the bug is that UpdateCryptoKey is unable to compute the region properly when the first argument is a dict
. If it's a resources_pb2.CryptoKey
, it works fine. As an example:
import google.cloud.kms as kms
from google.cloud.kms_v1.proto import resources_pb2
client = kms.KeyManagementServiceClient()
ck = resources_pb2.CryptoKey()
ck.name = 'projects/{proj}/locations/us-central1/keyRings/{kr}/cryptoKeys/{key}'
ck.next_rotation_time.GetCurrentTime()
update_mask = {'paths': ['next_rotation_time']}
client.update_crypto_key(ck, update_mask)
Hopefully this allows you to work around this issue while we get this fixed. Apologies for the inconvenience, and thanks for your patience!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With