Reputation: 111
Permission denied for Cloud Function to decrypt with KMS key
I have a Python Cloud Function which uses a KMS key to decrypt some authentication tokens for other services from the environment, as in https://dev.to/googlecloud/using-secrets-in-google-cloud-functions-5aem
I keep getting a 403 Permission Denied whenever I run my function. When I call the function locally on my computer it works fine. I've tried adding the "Cloud KMS CryptoKey Decrypter" role to the default Compute Engine service account but that didn't work.
Any other ideas?
Edit: here's some code that shows what I'm doing. The environment variables are stored in an environment.yaml file which I point to when I gcloud functions deploy
def decrypt_secret(key: str, secret: str):
kms_client = kms.KeyManagementServiceClient()
decrypted = kms_client.decrypt(key, base64.b64decode(secret))
return decrypted.plaintext.decode("ascii")
def do_kms_stuff():
key = os.environ["KMS_RESOURCE_NAME"]
session = boto3.Session(
profile_name="my-profile",
aws_access_key_id=decrypt_secret(
key, os.environ["AWS_ACCESS_KEY_ID_ENCRYPTED"]
),
aws_secret_access_key=decrypt_secret(
key, os.environ["AWS_SECRET_ACCESS_KEY_ENCRYPTED"]
),
)
# ...
And here's the error from the Cloud Functions console:
File "<string>", line 3, in raise_from: google.api_core.exceptions.PermissionDenied: 403 Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/my-project/locations/my-location1/keyRings/my-keyring/cryptoKeys/my-key' (or it may not exist). at error_remapped_callable (/env/local/lib/python3.7/site-packages/google/api_core/grpc_helpers.py:59) at func_with_timeout (/env/local/lib/python3.7/site-packages/google/api_core/timeout.py:214) at retry_target (/env/local/lib/python3.7/site-packages/google/api_core/retry.py:182) at retry_wrapped_func (/env/local/lib/python3.7/site-packages/google/api_core/retry.py:277) at
__call__ (/env/local/lib/python3.7/site-packages/google/api_core/gapic_v1/method.py:143) at decrypt (/env/local/lib/python3.7/site-packages/google/cloud/kms_v1/gapic/key_management_service_client.py:1816) at decrypt_secret (/user_code/kms_stuff.py:17) at do_kms_stuff (/user_code/kms_stuff.py:48) at my_cloud_function (/user_code/main.py:46) at call_user_function (/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py:214) at invoke_user_function (/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py:217) at run_background_function (/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py:383)
Upvotes: 2
Views: 1161
Answers (1)
Reputation: 111
As @DazWilkin and @pessolato mentioned, the issue was that I was using the wrong service account. Once I changed to use the default AppSpot account everything worked smoothly.
Upvotes: 2
Related Questions
- Permission denied on Cloud KMS key when using cloud storage
- Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied for resource ...key
- Google Cloud KMS issue with decrypt
- Google Cloud Platform - Dataflow doesn't decrypt data with KMS key
- Google KMS giving error when decrypting data
- Grant permission to use the key in GKE
- Google Cloud KMS: Unable to decrypt
- Google cloud KMS: encryption works but decryption fails
- Google cloud KMS permission issue with encrypt
- unable to use @google-cloud/kms nodejs module to decrypt secret