IAM policy for Google Cloud KMS crypto key

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

google_kms_crypto_key_iam_policy

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}
resource "google_kms_crypto_key" "key" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "7776000s"
  lifecycle {
    prevent_destroy = true
  }
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/cloudkms.cryptoKeyEncrypter"

    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_kms_crypto_key_iam_policy" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  policy_data = data.google_iam_policy.admin.policy_data
}

With IAM Conditions (beta):

data "google_iam_policy" "admin" {
  binding {
    role = "roles/cloudkms.cryptoKeyEncrypter"

    members = [
      "user:jane@example.com",
    ]

    condition {
      title       = "expires_after_2019_12_31"
      description = "Expiring at midnight of 2019-12-31"
      expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
    }
  }
}

google_kms_crypto_key_iam_binding

resource "google_kms_crypto_key_iam_binding" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"

  members = [
    "user:jane@example.com",
  ]
}

With IAM Conditions (beta):

resource "google_kms_crypto_key_iam_binding" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"

  members = [
    "user:jane@example.com",
  ]

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

google_kms_crypto_key_iam_member

resource "google_kms_crypto_key_iam_member" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"
  member        = "user:jane@example.com"
}

With IAM Conditions (beta):

resource "google_kms_crypto_key_iam_member" "crypto_key" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"
  member        = "user:jane@example.com"

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

Argument Reference

The following arguments are supported:


The condition block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Import

Importing IAM members

IAM member imports use space-delimited identifiers that contain the resource's crypto_key_id, role, and member identity e.g.

An import block (Terraform v1.5.0 and later) can be used to import IAM members:

import {
  id = "{{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}} roles/viewer user:foo@example.com"
  to = google_kms_crypto_key_iam_member.default
}

The terraform import command can also be used:

$ terraform import google_kms_crypto_key_iam_member.default "{{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}} roles/viewer user:foo@example.com"

Importing IAM bindings

IAM binding imports use space-delimited identifiers that contain the crypto_key_id and role, e.g.

An import block (Terraform v1.5.0 and later) can be used to import IAM bindings:

import {
  id = "{{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}} roles/viewer"
  to = google_kms_crypto_key_iam_binding.default
}

The terraform import command can also be used:

$ terraform import google_kms_crypto_key_iam_binding.default "{{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}} roles/viewer"

Importing IAM policies

IAM policy imports use the identifier of the KMS crypto key only. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM policies:

import {
  id = "{{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}}"
  to = google_kms_crypto_key_iam_policy.default
}

The terraform import command can also be used:

$ terraform import google_kms_crypto_key_iam_policy.default {{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}}