CODEWITHSUNDEEP
google-cloud-platformterraformterraform-provider-gcpgoogle-cloud-iamgoogle-cloud-kms
Raju
Raju

Reputation: 65

GCP - Storage Service Account Access Issue

I am trying to grant access to serviceAccount:service-${data.google_project.infrastructure.number}@gs-project-accounts.iam.gserviceaccount.com on roles/cloudkms.cryptoKeyEncrypterDecrypter and creating storage buckets using below code:

resource "google_project_iam_member" "grant-google-storage-service-encrypt-decrypt" {
  project    = var.gcp_project
  role       = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member     = "serviceAccount:[email protected]"
  depends_on = [google_project_service.apis["cloudkms.googleapis.com"], google_storage_bucket.terraform-state]
}

resource "google_storage_bucket" "dev-terraform-state" {
  name     = var.dev_terraform_state
  project  = var.gcp_project
  location = var.gcp_region

  versioning {
    enabled = true
  }

  encryption {
    default_kms_key_name = google_kms_crypto_key.terraform-state-bucket.id
  }

  depends_on = [google_kms_crypto_key.terraform-state-bucket, google_project_service.apis, google_kms_key_ring.key-ring-terraform-state]
}

Error:

│ Error: googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden
│ 
│   with google_storage_bucket.dev-terraform-state,
│   on main.tf line 170, in resource "google_storage_bucket" "dev-terraform-state":
│  170: resource "google_storage_bucket" "dev-terraform-state" {

Upvotes: 0

Views: 598

Answers (1)

Raju
Raju

Reputation: 65

Sorry, It was due to local cache i think. after removing terraform folder locally then re-run works fine.

Upvotes: 1

Related Questions