Assigned
Status Update
No update yet.
Comments
ka...@google.com
ma...@google.com
Hello,
Thank you for reaching out. I'm going to create an internal feature request. Please keep in mind that this feature request has to be analyzed and considered by the product team and I can't provide you ETA for it to be delivered. However, you can keep track of the status by following this thread.
Description
The constraint constraints/gcp.resourceLocations [1] in the KMS documentation helps restrict the creation of KMS keys and keyrings to specific locations. However, there is an issue with this constraint—it also applies to other resources, such as Compute Engine and GKE [2]. To set an organization policy including a resource location constraint, this constraint applies to other resources as well, such as Compute Engine, GKE, and App Engine[3].
[1].
[2].
[3]
What you expected to happen:
A new constraint can be added specifically for Cloud KMS location restrictions or we can use the existing constraint with a condition to specify the resource (currently, we can specify tags in the condition but not the resources).
Steps to reproduce:
Navigated to IAM & Admins> Organization Policies > constraints/gcp.resourceLocations > Manage Organization Policy > Override Parent Policy and specified the location.
However, while trying to set a condition for specific resources, we don't see any way to specify resources.
As a result, the constraint is applied to all resources, including GCE, GKE, App Engine, and KMS.
Other information (workarounds you have tried, documentation consulted, etc): n/a