I have a terraform script that creates a storage bucket and adds encryption to it. I already have a KMS key rings and the key created. I also have a service account with the following roles
“CLOUD KMS ADMIN” “Cloud KMS CryptoKey Encrypter/Decrypter”
I am getting the following error
googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden
│
│ with module.storage-bucket.google_storage_bucket.storage-bucket,
│ on ../../modules/storage/main.tf line 1, in resource "google_storage_bucket" "storage-bucket":
│ 1: resource "google_storage_bucket" "storage-bucket" {
I tried adding the admin role to the service account it did not work. This is my storage script
resource "google_storage_bucket" "storage-bucket" {
name = var.storage_bucket
location = var.project_region
project = var.project_id
versioning {
enabled = true
}
uniform_bucket_level_access = true
public_access_prevention = var.access_prevention_policy
lifecycle_rule {
action {
type = var.change_storage_type
storage_class = var.nearline_storage_class
}
condition {
age = var.nearline_storage_age
}
}
lifecycle_rule {
action {
type = var.change_storage_type
storage_class = var.coldline_storage_class
}
condition {
age = var.coldline_storage_age
}
}
lifecycle_rule {
action {
type = var.change_storage_type
storage_class = var.archive_storage_class
}
condition {
age = var.archive_storage_age
}
}
lifecycle_rule {
action {
type = var.delete
}
condition {
age = var.delete_age
}
}
logging {
log_bucket = var.storage_bucket
log_object_prefix = var.log_object_prefix
}
labels = {
environment = var.environment
}
encryption {
default_kms_key_name = var.key_name
}
}
I did verify that my resource name for the KMS key is correct and it in the appropriate region.
Can someone let me know where either went wrong.