Can you share your Google Cloud KMS keys between projects with service roles?

Question

Can you share your Google Cloud KMS keys between projects with service roles?

This GCP article suggests using two separate projects: one for key management and one for encryption / decryption.

This is similar to a setting that works with user roles, but not with the service role as the service role is associated with the project to which it belongs. Am I missing something?

Is there a way to have one role (for example, project 1) that creates KMS keys and then has a service role (in, for example, project 2) that can access the specified keys at runtime for decryption?

+4

google-app-engine google-cloud-platform google-cloud-kms

Venantius Mar 10 '18 at 21:18

source share

1 answer

Phil Coakley · Accepted Answer · 2018-03-10T22:37:42+0000

! IAM () .

svcacct@project2.iam.gserviceaccount.com project1, , :

$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
  --location ${location} ${KMS_KEY_RESOURCE_NAME} \
  --member serviceAccount:svcacct@project2.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyDecrypter

, svcacct@project2.iam.gserviceaccount.com " " "" KeyRing Key, http://console.cloud.google.com/iam-admin/kms?project=project1

Can you share your Google Cloud KMS keys between projects with service roles?

More articles: