Assigned
Status Update
No update yet.
Comments
ba...@google.com
ma...@google.com
Thanks for the report. I will route this to the appropriate internal team and update this when I hear back from them.
Description
Unable to use multi-region CMEK keys for encrypting Compute Engine regional disks when the region is part of the multi-region coverage. The system enforces that CMEK keys must be in the same region as the resource, in a supported multi-region, or in the global location, preventing organizations from leveraging multi-region CMEK keys even when the target region is part of that multi-region's coverage area.
What you expected to happen:
To be able to use a multi-region CMEK key to encrypt Compute Engine disks in any region that is part of that multi-region's coverage area. For example, using a CMEK key from eur8 (multi-region covering Zürich, Frankfurt, and Berlin) to encrypt Compute Engine disks in europe-west6 (Zürich), especially when compliance requirements mandate keeping encryption keys within specific geographical boundaries.
Steps to reproduce:
export PROJECT_ID="your-project-id"
export KMS_LOCATION="eur8"
export KEYRING_NAME="example-keyring"
export KEY_NAME="example-key"
export DISK_NAME="example-disk"
export REGION="europe-west6"
export ZONE_PRIMARY="europe-west6-a"
export ZONE_SECONDARY="europe-west6-c"
# Create keyring
gcloud kms keyrings create ${KEYRING_NAME} \
--location=${KMS_LOCATION} \
--project=${PROJECT_ID}
# Create encryption key
gcloud kms keys create ${KEY_NAME} \
--keyring=${KEYRING_NAME} \
--location=${KMS_LOCATION} \
--purpose=encryption \
--project=${PROJECT_ID}
# Create regional disk with CMEK
gcloud compute disks create ${DISK_NAME} \
--region=${REGION} \
--replica-zones=${ZONE_PRIMARY},${ZONE_SECONDARY} \
--size=500GB \
--kms-key=projects/${PROJECT_ID}/locations/${KMS_LOCATION}/keyRings/${KEYRING_NAME}/cryptoKeys/${KEY_NAME}
Other information (workarounds you have tried, documentation consulted, etc):
Documentation findings:
According to [1], europe-west6 is designated as Region Zürich while eur8 is a Multi-region containing "Zürich, Frankfurt, and Berlin"
Per [2], there is a documented limitation: "Regional and zonal resources must use a key ring and CMEK in the same region as the resource or in the global location. Single-region and zonal resources can't use a multi-region key ring other than global."
Resources created in the europe multi-region are not stored in europe-west6 (Zürich) data centers
Business impact:
Organizations with data sovereignty requirements cannot use multi-region CMEK keys with Compute Engine resources, even when their target region is part of that multi-region's coverage. This affects cases where compliance mandates keeping encryption keys within specific geographical boundaries.
[1]
[2]