Disks not getting encrypted when using CMEK in GCP
Applies to
- Customer-Managed Encryption Keys (CMEK)
- Google Cloud (GCP)
- NetApp Cloud Volumes ONTAP
- NetApp Cloud Manager
Issue
- WorkingEnvironment gets deployed via JSON template with "gcpEncryptionParameters" set to use CMEK
- Deployment succeeds but examining the 'Describe Disks by Label' -task in the Timeline, the disks aren`t getting encrypted with the specified keys:
Create DiskSuccess{"name": "gcpcvo-vm2datadisk1","_result": {"operationType": "insert","targetId": "https://www.googleapis.com/compute/v...o-vm2datadisk1"},"image": null,"sizeGb": 4096,"labels": {"working-environment-id": "vsaworkingenvironment-xxyyzz"},"diskType": "pd-ssd","encryptionKey": null}- The following error can be found in the server.log
Error:Operation Deploy failed with error Error: Code: RESOURCE_ERROR Target: /deployments/gcpcvo-deployment/resources/gcpcvo-disk-xxyyzz Message: {"ResourceType":"compute.v1.disk","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"errors":[{"domain":"global","message":"Cloud KMS error when using key projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key' (or it may not exist).","reason":"kmsPermissionDenied"}],"message":"Cloud KMS error when using key projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key' (or it may not exist).","statusMessage":"Bad Request","requestPath":"https://compute.googleapis.com/compu...gcp-zone/disks","httpMethod":"POST"}}