Permission 'cloudkms.cryptoKeys.get' denied on init setup

[voxmaster]

TL;DR

Not enough permission to read from KMS

Expected behavior

No response

Observed behavior

The following error in VM logs of fresh setup Error parsing Seal configuration: error checking key existence: rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeys.get' denied on resource 'projects/$PROJECT_ID/locations/us-central1/keyRings/vault/cryptoKeys/vault-init' (or it may not exist).

Terraform Configuration

module "vault" {
  source     = "terraform-google-modules/vault/google"
  version    = "7.0.0"
  project_id = var.project_id
  region     = var.region

  network                   = "main"
  subnet                    = "main-01"
  network_subnet_cidr_range = "35.235.240.0/20"
  allow_public_egress       = false
  manage_tls                = true
  tls_cn                    = "some.domain.com"

  storage_bucket_force_destroy = true
  vault_version                = "1.13.2"
  vault_machine_type           = "e2-small"
  vault_max_num_servers        = 1
}

Terraform Version

Terraform v1.4.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.63.1
+ provider registry.terraform.io/hashicorp/google-beta v4.63.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/tls v4.0.4

Additional information

Was able to fix this using this configuration

## Fix for "7.0.0" version of module with 1.13.2 Vault version
resource "google_kms_crypto_key_iam_member" "ck-iam" {
  crypto_key_id = "${var.region}/vault/vault-init"
  role          = "roles/cloudkms.viewer"
  member        = "serviceAccount:${module.vault.service_account_email}"
}

[g-awmalik]

Thanks @voxmaster. Do you mind sending a PR for this? Happy to review that for you.

[voxmaster]

@g-awmalik PTAL: https://github.com/terraform-google-modules/terraform-google-vault/pull/185

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days