GCPでCMEKを使用している場合、ディスクが暗号化されません
環境
- 顧客管理暗号化キー(CMEK)
- Google Cloud(GCP)
- NetApp クラウドボリューム ONTAP
- NetApp Cloud Manager の略
問題
- WorkingEnvironmentは、CMEKを使用するように「gcpEncryptionParameters」が設定されたJSONテンプレートを介して展開されます
- 展開は成功するが、タイムラインで「ラベルでディスティネ」タスクを調べる。ディスクは、指定されたキーで暗号化されていない。
Create DiskSuccess{"name": "gcpcvo-vm2datadisk1","_result": {"operationType": "insert","targetId": "https://www.googleapis.com/compute/v...o-vm2datadisk1"},"image": null,"sizeGb": 4096,"labels": {"working-environment-id": "vsaworkingenvironment-xxyyzz"},"diskType": "pd-ssd","encryptionKey": null}- 次のエラーは、server.logで確認できます
Error:Operation Deploy failed with error Error: Code: RESOURCE_ERROR Target: /deployments/gcpcvo-deployment/resources/gcpcvo-disk-xxyyzz Message: {"ResourceType":"compute.v1.disk","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"errors":[{"domain":"global","message":"Cloud KMS error when using key projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key' (or it may not exist).","reason":"kmsPermissionDenied"}],"message":"Cloud KMS error when using key projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key' (or it may not exist).","statusMessage":"Bad Request","requestPath":"https://compute.googleapis.com/compu...gcp-zone/disks","httpMethod":"POST"}}