KMS for BQ

[arun kumar]

Hi Team,

I was trying to create cmek key for BQ . Unfortunately I'm not able to add the service account as.part of kms key ..Im getting error as  service account  is not accepted as part of Google domain .I have enabled the BQ api. kindly let  me what could be the issue . Currently I'm using trail version .

 bq-PROJECT_NUMBER@bigquery-encryption.iam.gserviceaccount.com

Thanks & Regards

AJ

[Ahmad P - Cloud Platform Support]

Hello Aj,

The question is not very clear to me. It needs more details.

You can follow this document for your question and please check this Frequently asked questions document for permission and service account.

[arun kumar]

Hi Ahmad,

I have an issue with adding the  bq-PROJECT_NUMBER@bigquery-encryption.iam.gserviceaccount.com to kms key. Error denotes that the service account is not part of the google domain .I really appreciate if i get some input on this.

Thanks,

AJ

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/4fbeeba2-7cd1-4fd4-acc5-632d66e46519n%40googlegroups.com.

--

-jca

[Derek Murphy]

It may be of use if you could give us the exact error and/or a screen shot of the error. Please remember to remove anything private (passwords, sensitive account names, credit card numbers, etc.) from any such information.

Hope to hear from you soon.

[arun kumar]

Thanks for the reply!!. Its a common error , please find the error description below

"Email address and domains must be associated with active google Accounts , Google workspace account or Cloud Identity account"

im getting the above error while adding BQ and data flow service accounts 

I have enabled BQ and dataflow api's already

Thanks,

Arun J 

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/72adfd12-82b7-4c0f-88d5-10f104dcdcd7n%40googlegroups.com.

--

-jca

[arun kumar]

I found the root cause for this issue. A service account is getting enabled only after invoking the service .for example if I enable the GCS API, the respective service accounts not getting enabled, we need to explicitly create a bucket or click the create bucket option to enable the service account. let me know is there any option to enable without invoking the API (not creating or click create option). 

Thanks,

AJ

On Fri, Jul 23, 2021 at 2:09 AM 'Derek Murphy' via gce-discussion <gce-dis...@googlegroups.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/72adfd12-82b7-4c0f-88d5-10f104dcdcd7n%40googlegroups.com.

--

-jca

[Anthony Leo]

Hi AJ,

The conditions for the creation of Google-managed service accounts such as bq-PROJE...@bigquery-encryption.iam.gserviceaccount.com or PROJECT_NUM...@developer.gserviceaccount.com are dependent on the service in question and cannot be bypassed. 

That said, the conditions for service account creation are not currently mentioned in the documentation [1] and as such, I have filed a request with the documentation team to explicitly mention these conditions.

[1]:https://cloud.google.com/bigquery/docs/customer-managed-encryption

[arun kumar]

Thanks for the reply and your action . Still, I'm not clear and I need clarification.

Enabled the Managed service API(GCS) 

Added the GCS Service account as part of KMS

Getting below error 

Error denotes that the service account is not part of the google domain.

Thanks,

AJ

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/962c4d37-b4ea-4ae5-a1e5-4fea682637cen%40googlegroups.com.

--

-jca

[arun kumar]

Hi Team,

Do you have any update on this?

Thanks,

Arun J 

--

-jca