Assigned
Status Update
No update yet.
Comments
ka...@google.com
ka...@google.com
Thanks for the report. I will route this to the appropriate internal team and update this when I hear back from them.
Description
By using TSI, customers are able to create KMS keys, which are stored in a central project within the same organization.
When creating a new resource you have the option to manually put the path of the key ( works as expected ) or choose it through the project, if the keyrings are given the permissions of the role "roles/cloudkms.viewer" as mentioned in [2] the customer is only able to select keys manually, if this role is given to users of the project then they are able to see all the keys of the project, not just their dedicated keys.
The definition of done for this ticket is for to have either a role that would achieve a granular viewing ( users being able to only see only their dedicated keys ) or a feature that would allow for only dedicated EKM KMS crypto keys to be selected when creating new resources.
Other information (workarounds you have tried, documentation consulted, etc):
[1]:
[2]: