Grant permission to use specific KMS key in GCP

Question

I created a keyring and a key in the keyring in GCP, how can I grant a specific service account or user account access to this key only? It seems that to use the key in the KMS, in GCP we need to grant the service account the role of "cloudkms.cryptokeyEncrypterDecrypter" role, is that mean the service account with this role is able to use any key in the KMS?

Thanks

Answer 1

To manage access to Cloud KMS resources, such as keys and key rings, you grant Identity and Access Management (IAM) roles. You can grant or restrict the ability to perform specific cryptographic operations, such as rotating a key or encrypting data.

To allow a user or service account to use a key to encrypt or decrypt using a particular key, they must have the cloudkms.cryptoKeyEncrypterDecrypter, cloudkms.cryptoKeyEncrypter, cloudkms.cryptoKeyDecrypter, or owner role, as per the chart in Permissions and Roles.

Example command to grant a service account permissions:

gcloud kms keys add-iam-policy-binding name of the key --location global  --keyring golden-goose  --member serviceAccount:my-service-account@my-project.iam.gserviceaccount.com  --role roles/cloudkms.cryptoKeyEncrypterDecrypter

Similar command to grant a user permissions:

gcloud kms keys add-iam-policy-binding name of the key --location global --keyring golden-goose  --member user:sillygoose@gmail.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter

Refer to the link Granting permissions to use keys .

EDIT:

You can grant permissions either by cloud shell using gcloud commands or through UI by navigating through IAM & Admin → IAM → Select the service account that needs to grant roles and edit the permissions by adding roles. See the screenshot for reference.