Assigned
Status Update
No update yet.
Comments
an...@google.com
Hello,
Thank you for reaching out to us with your request.
We have duly noted your feedback and will thoroughly validate it. While we cannot provide an estimated time of implementation or guarantee the fulfillment of the issue, please be assured that your input is highly valued. Your feedback enables us to enhance our products and services.
We appreciate your continued trust and support in improving our Google Cloud Platform products. In case you want to report a new issue, Please do not hesitate to create a new issue on the
Once again, we sincerely appreciate your valuable feedback; Thank you for your understanding and collaboration.
an...@google.com
The customer has followed up multiple times. Can we please share our analysis? Can we prioritize this
Description
- Cloud Functions (GCF) deployment process currently checks for the Cloud Key Management Service (KMS) API's enablement in both projects (i.e., the project containing the CMEK key and the project where the function is being deployed) for deployments using Customer-Managed Encryption Keys (CMEK).
- As a result, customers are unable to enforce the organizational policies restricting which services may create resources without CMEK on Cloud Functions in their projects.
How this might work:
- Customers should only need to enable the Cloud KMS API in the central project containing the CMEK keys.
If applicable, reasons why alternative solutions are not sufficient:
- Many users prefer to keep using a central project to manage all the KMS keys and let the other projects access it without having to enable KMS API for every project following GCP's best practice recommendation to keep/manage KMS key in separate GCP project (ref:
- Many other major GCP services work well with the same rule which does not require enabling the KMS API for both projects in such a scenario.