K
Q

Permission denied on key when encrypting secrets.yml file with helm and gcp_kms

1/31/2020

I have a keyring and key in Google Cloud KMS. I want to use the key to encrypt a secrets.yml file using helm secrets enc

I am the GCP project owner, and I have also given myself the specific encrypt/decrypt IAM role, which I don't think is needed, given I am the owner, but worth a try a thought.

I'm getting the following permission denied error when trying to run helm secrets enc secrets.yml:

Could not generate data key: [failed to encrypt new data key with master key "projects/myproject-266813/locations/global/keyRings/myKeyRing/cryptoKeys/myKey": Failed to call GCP KMS encryption service: googleapi: Error 403: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/myproject-266813/locations/global/keyRings/myKeyRing/cryptoKeys/myKey' (or it may not exist)., forbidden]

My .sops.yml file:

creation_rules: - gcp_kms: projects/mirkwood-266813/locations/global/keyRings/lotr/cryptoKeys/cdlkey

I am authenticated with the correct gcp account, so what am I missing?

-- Molenpad
encryption
encryption-symmetric
google-cloud-platform
kubernetes-helm
kubernetes-secrets

Similar Questions

k8s secret rotation with SQL server
R Docker Kubernetes Websocket Closing
Problems with Kubernetes new workers nodes
Charmed Distribution Of Kubernetes on LXC and Ingress

1 Answer

2/5/2020

The answer to this turned out to be really simple:

gcloud auth application-default login

or

use a service account

gcloud auth login

on it's own did not work

-- Molenpad
Source: StackOverflow