跳转到主内容

在GCP中使用CMEK时磁盘未加密

Views:
3
Visibility:
Public
Votes:
0
Category:
cloud-manager
Specialty:
cloud<a>安全性</a><a>2009268956</a><a>云密钥管理</a><a>云</a>
Last Updated:

适用场景

  • 客户管理的加密密钥(CMEK)
  • Google Cloud (GCP)
  • NetApp Cloud Volumes ONTAP
  • NetApp Cloud Manager

问题描述

  • 工作环境通过JSON模板进行部署、并将"gcpEncryptionParameters"设置为使用CMEE
  • 部署成功、但在时间线中检查"按标签划分的磁盘"任务时、磁盘n`t将使用指定的密钥进行加密:
 
Create Disk
Success
{
"name": "gcpcvo-vm2datadisk1",
"_result": {
"operationType": "insert",
},
"image": null,
"sizeGb": 4096,
"labels": {
"working-environment-id": "vsaworkingenvironment-xxyyzz"
},
"diskType": "pd-ssd",
"encryptionKey": null
}
 
  • 可以在server.log中找到以下错误
Error:Operation Deploy failed with error Error: Code: RESOURCE_ERROR Target: /deployments/gcpcvo-deployment/resources/gcpcvo-disk-xxyyzz Message: {"ResourceType":"compute.v1.disk","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"errors":[{"domain":"global","message":"Cloud KMS error when using key projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key' (or it may not exist).","reason":"kmsPermissionDenied"}],"message":"Cloud KMS error when using key projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key' (or it may not exist).","statusMessage":"Bad Request","requestPath":"https://compute.googleapis.com/compu...gcp-zone/disks","httpMethod":"POST"}}

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.