Prisma Cloud Compute: Agentless GCP "missing permission for KMS cryptographic operations" in Hub Mode
165
Created On 07/04/24 21:57 PM - Last Modified 03/26/26 22:34 PM
Symptom
Agentless fails to scan the impacted resource(s) with an error like the below:
missing permission for KMS cryptographic operations googleapi: Error 400: Cloud KMS error when using key projects/<project_id>/locations/<region>/keyRings/<key_ring>/cryptoKeys/<crypto_key>: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/<project_id>/locations/<region>/keyRings/<key_ring>/cryptoKeys/<crypto_key>:' (or it may not exist)., kmsPermissionDenied target="<target_account>" hub="<hub_account>" region="<region>" availabilityDomain="" job="Scan" workerID="<worker_id>"
Environment
- Prisma Cloud Compute Self-hosted 22.06 and above
- Prisma Cloud Compute SaaS
- GCP
- Customer-managed encrypted storage
Cause
- The hub project does not have required permissions to scan the impacted resource(s).
Resolution
- Run the below command as stated in our documentation :
gcloud projects add-iam-policy-binding KMS_PROJECT_ID \
--member serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
- If the KMS keys are not located in a central KMS project, users can choose to add the Cloud KMS CryptoKey Encrypter/Decrypter role to the Compute Engine Service Agent for the hub project (service-<HUB_PROJECT_NUMBER>@compute-system.iam.gserviceaccount.com) at the organization level.