online signing "cloudkms.cryptoKeyVersions.useToSign" fails with 403

jku commented 10 months ago

google.api_core.exceptions.PermissionDenied: 403 Permission 'cloudkms.cryptoKeyVersions.useToSign' denied on resource 'projects/projectsigstore-staging/locations/global/keyRings/tuf-keyring/cryptoKeys/tuf-staging-key'

https://github.com/sigstore/root-signing-staging/actions/runs/7474882630/job/20341939571

the gcp authentication is working
the problem happens when using kms.KeyManagementServiceClient.asymmetric_sign()
keyid is projects/projectsigstore-staging/locations/global/keyRings/tuf-keyring/cryptoKeys/tuf-staging-key/cryptoKeyVersions/1

jku commented 10 months ago

the service account should have roles/cloudkms.signer for the key or the keyring

haydentherapper commented 9 months ago

Creating a dedicated service account with a signer permission granted to the SA for the keyring.

jku commented 9 months ago

finally :pray: https://sigstore.github.io/root-signing-staging/timestamp.json

sigstore / root-signing-staging

online signing "cloudkms.cryptoKeyVersions.useToSign" fails with 403 #22