Cloud KMS error when attempting to use boot disk encryption key

Question

I am using terraform to build out a cluster in a GCP project. I manually created a service account in the same GCP project and I have specified this same service account in the terraform GKE module as shown below

module "gke" {
...
    service_account = "tf-service-account@<project>.iam.gserviceaccount.com"
...
}

Essentially this should create the cluster using this service account. I have also added the Cloud KMS CrytpoKey Decrypter, Encrypter and Encrypter/Descypter to the service account as shown in the image below.

The same service account has been granted permission on the KMS key. shown below

I have specified the right encryption key to use by adding this to my node pools config

boot_disk_kms_key = "projects/<PROJECT>/locations/europe-west2/keyRings/<KEY RING NAME>"

ERROR

I am running terraform through the GCP cloud shell, and when I get the following error

Error: Error waiting for creating GKE NodePool: 
│       (1) deploy error: Not all instances running in IGM after 33.708999334s. Expected 2, running 0, transitioning 2. Current errors: [KMS_PERMISSION_DENIED]: Instance '<INSTANCE>' creation failed: Cloud KMS error when using key <KEY PATH>: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource '<KEY PATH>' (or it may not exist).; [KMS_PERMISSION_DENIED]: Instance '<INSTANCE>' creation failed: Cloud KMS error when using key <KEY PATH>: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource '<KEY PATH>' (or it may not exist)

Answer 1

You need to grant permissions to the GCE service account (not your workload service account). The GCE service account takes the format:

service-[PROJECT_NUMBER]@compute-system.iam.gserviceaccount.com

Note this is PROJECT_NUMBER, not PROJECT_ID.