Google cloud KMS permission issue with encrypt

Question

I tried to encrypt the contents of a file and to write the encrypted data to a cipher file with Google cloud KMS. But the php script shows a permission error. Here's the php script I tried

$cryptoKeyName = $kms->cryptoKeyName($projectId, $locationId, $keyRingId, $cryptoKeyId);
$plaintext = file_get_contents($plaintextFileName);

$response = $kms->encrypt($cryptoKeyName, $plaintext);
file_put_contents($ciphertextFileName, $response->getCiphertext());

I got this error

Fatal error: Uncaught Google\ApiCore\ApiException: { "message": "Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied for resource 'projects/testproject/locations/global/keyRings/test/cryptoKeys/testkey'.", "code": 7, "status": "PERMISSION_DENIED", "details": [] } thrown in /home/xxxxx/xxx.com/vendor/google/gax/src/ApiException.php on line 139

When I print the user permission, it shows

Role: roles/cloudkms.admin Members: user:renjith@pi-digi.com Role: roles/cloudkms.cryptoKeyEncrypterDecrypter Members: user:renjith@pi-digi.com`

Answer 1

Solved the issue. It was a permission issue with the json file I used to authenticate (Something like projectname-bab93421213c2.json). The file should have enough permission. You can see the file here - console.cloud.google.com/iam-admin. I changed the permission from 'Viewer' to 'Owner' and it worked.

Answer 2

The Cloud KMS Admin role does not include the Encrypt/Decrypt permission. You'll need to grant those permissions to your user as well.