apigee/ERR/2022_002

Product: Apigee API Management
Rule class: ERR - Something that is very likely to be wrong

Description

Apigee X uses a database encryption key, to encrypts the application-level data stored in the database and a disk encryption key to encrypts runtime instance data before it is written to disk.

Verify that the runtime database encryption key and disk encryption key are not disabled or destroyed and the Apigee Service Agent account has the cloudkms.cryptoKeyEncrypterDecrypter role to access the KMS keys.

Remediation

View current IAM policy on the kms keys and ensure that you have the following binding in the IAM policy for the kms keys:

• Principal: service-PROJECT_NUMBER@gcp-sa-apigee.iam.gserviceaccount.com
• Role: roles/cloudkms.cryptoKeyEncrypterDecrypter

If not, please grant the above role on the kms key.

Further information

• About the Apigee encryption keys