问题
I'm trying to add encrypted ssh keys to google KMS using this documentation for accessing private repository as a dependency on Google App Engine (Node.JS project).
I have successfully generated Cloud KMS KeyRing and CryptoKey but I'm facing an error while encrypting the key.
(gcloud.kms.encrypt) PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied for resource 'projects/test/locations/global/keyRings/my-keyring/cryptoKeys/key'.
Need some help to setup this so can I can use this ssh key on GAE.
回答1:
You do not have IAM permissions to use to encrypt feature.
Advice: do not practice on your SSH real keys. Make a copy of them into a different directory. Then learn how to use IAM and KMS on the copies.
Need some help to setup this so can I can use this ssh key on GAE.
I not sure what you are trying accomplish with KMS encrypting SSH keys for use on GAE.
To allow a user or service account to use a key to encrypt or decrypt using a particular key, they must have the cloudkms.cryptoKeyEncrypterDecrypter, cloudkms.cryptoKeyEncrypter, cloudkms.cryptoKeyDecrypter, or owner role, as per the chart in Permissions and Roles.
Example command to grant a service account permissions:
gcloud kms keys add-iam-policy-binding \
golden-egg --location global --keyring golden-goose \
--member serviceAccount:my-service-account@my-project.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
Similar command to grant a user permissions:
gcloud kms keys add-iam-policy-binding \
golden-egg --location global --keyring golden-goose \
--member user:sillygoose@gmail.com \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
Granting permissions to use keys
Permissions and Roles
来源:https://stackoverflow.com/questions/53150044/getting-error-while-generating-crypto-keys-using-gcloud-kms-to-access-private-re