在GCP中使用CMEK时磁盘未加密
适用场景
- 客户管理的加密密钥(CMEK)
- Google Cloud (GCP)
- NetApp Cloud Volumes ONTAP
- NetApp Cloud Manager
问题描述
- 工作环境通过JSON模板进行部署、并将"gcpEncryptionParameters"设置为使用CMEE
- 部署成功、但在时间线中检查"按标签划分的磁盘"任务时、磁盘n`t将使用指定的密钥进行加密:
Create Disk
Success
{
"name": "gcpcvo-vm2datadisk1",
"_result": {
"operationType": "insert",
"targetId": "https://www.googleapis.com/compute/v...o-vm2datadisk1"
},
"image": null,
"sizeGb": 4096,
"labels": {
"working-environment-id": "vsaworkingenvironment-xxyyzz"
},
"diskType": "pd-ssd",
"encryptionKey": null
}
- 可以在server.log中找到以下错误
Error:Operation Deploy failed with error Error: Code: RESOURCE_ERROR Target: /deployments/gcpcvo-deployment/resources/gcpcvo-disk-xxyyzz Message: {"ResourceType":"compute.v1.disk","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"errors":[{"domain":"global","message":"Cloud KMS error when using key projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key' (or it may not exist).","reason":"kmsPermissionDenied"}],"message":"Cloud KMS error when using key projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/project-cvo/locations/gcp-region/keyRings/mykeyring/cryptoKeys/key' (or it may not exist).","statusMessage":"Bad Request","requestPath":"https://compute.googleapis.com/compu...gcp-zone/disks","httpMethod":"POST"}}