Hi all. We are using the GCP KMS secrets provider for pulumi as per https://www.pulumi.com/docs/intro/concepts/config/#google-cloud-key-management-service-kms with a separate GCP KMS key used specifically for pulumi key encryption/decryption. We have an issue where users with only encrypt access on this pulumi key are NOT able to encrypt secrets using the command

pulumi config set --secret

They receive the following error:

error: constructing secrets manager of type "cloud": secrets (code=PermissionDenied): rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied on resource 'projects/<gcp-creds-project>/locations/global/keyRings/global-keyring/cryptoKeys/pulumi-secret' (or it may not exist).

With a GCP user or service account which has encrypt + decrypt permissions on the key, this issue is not seen. Does anyone have ideas about why a DECRYPT key permission would be required to ENCRYPT a secret with pulumi using

gcpkms

? This sounds like a pulumi bug to me, could someone suggest workarounds if possible?