IssueTracker

What you would like to accomplish: We would like to have the ability to explicitly deny for all users, to include Org Admins, the ability to destroy key materials in Cloud KMS, specifically for SQL Instances.


How this might work: Either through a deny policy or organization policy, this would allow people in charge of Cloud KMS CMEK to control who can and cannot destroy key materials.


If applicable, reasons why alternative solutions are not sufficient: Organization Policies do not currently cover this issue [1] and custom roles are not feasible given a large number of users this would apply to.Constraints will deny users the ability to access all keys, however, it is not applicable to basic roles like owners [2].


Other information (workarounds you have tried, documentation consulted, etc):
[1] https://cloud.google.com/kms/docs/cmek-org-policy
[2] https://cloud.google.com/iam/docs/conditions-overview#:~:text=attributes%20to%20check.-,Note,-%3A%20You%20cannot