No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi all. We are using the GCP KMS secrets provider for pulumi as per <https://www.pulumi.com/docs/intro/concepts/config/#google-cloud-key-management-service-kms>

with a separate GCP KMS key used specifically for pulumi key encryption/decryption.

We have an issue where users with only encrypt access on this pulumi key are NOT able to encrypt secrets using the command `pulumi config set --secret`

They receive the following error:

```error: constructing secrets manager of type "cloud": secrets (code=PermissionDenied): rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/&lt;gcp-creds-project&gt;/locations/global/keyRings/global-keyring/cryptoKeys/pulumi-secret' (or it may not exist).```
With a GCP user or service account which has encrypt + decrypt permissions on the key, this issue is not seen.

Does anyone have ideas about why a DECRYPT key permission would be required to ENCRYPT a secret with pulumi using `gcpkms`? This sounds like a pulumi bug to me, could someone suggest workarounds if possible?