bigquery/WARN/2023_004

BigQuery CMEK-related operations do not fail due to missing permissions

Product: BigQuery
Rule class: WARN - Something that is possibly wrong

Description

BigQuery CMEK-related operations will fail if the BigQuery encryption service account for that project does not have the permission to encrypt and decrypt using that CMEK KMS key.

You can search in the Logs Explorer for such failing operations with the logging query:

resource.type="bigquery_resource"
severity=ERROR
protoPayload.serviceName="bigquery.googleapis.com"
protoPayload.status.message=~"Access Denied: BigQuery BigQuery: Cloud KMS Error: Permission .* Please grant Cloud KMS CryptoKey Encrypter/Decrypter role to BigQuery service account.*"

Remediation

To protect your BigQuery data with a CMEK key, grant the BigQuery encryption service account permission to encrypt and decrypt using that key via the Cloud KMS CryptoKey Encrypter/Decrypter IAM role. The BigQuery encryption service account is of the form bq-PROJECT_NUMBER@bigquery-encryption.iam.gserviceaccount.com

Further information

Grant encryption and decryption permission to BigQuery encryption service account