使用GCloud KMS生成私有密钥作为依赖项访问私钥时生成加密密钥时出错 [英] Getting error while generating crypto keys using GCloud KMS to access private repo as dependency

问题描述

我正在尝试使用此

I'm trying to add encrypted ssh keys to google KMS using this documentation for accessing private repository as a dependency on Google App Engine (Node.JS project).

我已经成功生成了Cloud KMS KeyRing和CryptoKey，但是在加密密钥时遇到错误.

I have successfully generated Cloud KMS KeyRing and CryptoKey but I'm facing an error while encrypting the key.

(gcloud.kms.encrypt)PERMISSION_DENIED:权限 资源拒绝'cloudkms.cryptoKeyVersions.useToEncrypt' 项目/测试/位置/全局/keyRings/my-keyring/cryptoKeys/密钥".

(gcloud.kms.encrypt) PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied for resource 'projects/test/locations/global/keyRings/my-keyring/cryptoKeys/key'.

需要一些帮助来设置它，以便我可以在GAE上使用此ssh密钥.

Need some help to setup this so can I can use this ssh key on GAE.

推荐答案

您没有用于加密功能的IAM权限.

You do not have IAM permissions to use to encrypt feature.

建议:不要在SSH实密钥上进行练习.将它们的副本复制到另一个目录中.然后学习如何在副本上使用IAM和KMS.

Advice: do not practice on your SSH real keys. Make a copy of them into a different directory. Then learn how to use IAM and KMS on the copies.

需要一些帮助来设置它，以便我可以在GAE上使用此ssh密钥.

Need some help to setup this so can I can use this ssh key on GAE.

我不确定您要通过KMS加密SSH密钥(可在GAE上使用)来完成什么工作.

I not sure what you are trying accomplish with KMS encrypting SSH keys for use on GAE.

允许用户或服务帐户使用密钥进行加密或解密 使用特定的密钥，他们必须具有 cloudkms.cryptoKeyEncrypterDecrypter，cloudkms.cryptoKeyEncrypter， cloudkms.cryptoKeyDecrypter或所有者角色，根据中的图表 权限和角色.

To allow a user or service account to use a key to encrypt or decrypt using a particular key, they must have the cloudkms.cryptoKeyEncrypterDecrypter, cloudkms.cryptoKeyEncrypter, cloudkms.cryptoKeyDecrypter, or owner role, as per the chart in Permissions and Roles.

授予服务帐户权限的示例命令:

Example command to grant a service account permissions:

gcloud kms keys add-iam-policy-binding \
  golden-egg --location global --keyring golden-goose \
  --member serviceAccount:my-service-account@my-project.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter

类似的命令授予用户权限:

Similar command to grant a user permissions:

gcloud kms keys add-iam-policy-binding \
  golden-egg --location global --keyring golden-goose \
  --member user:sillygoose@gmail.com \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter

授予使用密钥的权限

权限和角色

这篇关于使用GCloud KMS生成私有密钥作为依赖项访问私钥时生成加密密钥时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！