IssueTracker

This will create a public issue which anybody can view and comment on.

Please provide as much information as possible. At least, this should include a description of your issue and steps to reproduce the problem. If possible please provide a summary of what steps or workarounds you have already tried, and any docs or articles you found (un)helpful.

Problem you have encountered: We would like to know Is there a possibility of denying use of all or a few specific KMS keys’ (inside a GCP project) to most of the IAM principals (not all) who’ve the appropriate permissions already (via inheritance) from higher levels in the resource hierarchy? As per my understanding below are the permissions required to encrypt/decrypt data using a KMS key:

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

which, unfortunately, don’t seem to be supported by deny policies - https://cloud.google.com/iam/docs/deny-permissions-support


What you expected to happen:Add support for cloudkms.cryptoKeyVersions.useToDecrypt and cloudkms.cryptoKeyVersions.useToEncrypt permissions in IAM Deny policies.