(gcloud.kms.encrypt) Failed to read plaintext file

Question

I want to encrypt a key file with the gcloud command line tool.

The command I am running is:

gcloud kms encrypt --project=pname --location=global --keyring=keyring \
--key=key-credential \
--plaintext-file=/Users/macuser/Desktop/test/keys/testkey.json.decrypted \
--ciphertext-file=testkey.json.encrypted

but I keep getting the error

ERROR: (gcloud.kms.encrypt) Failed to read plaintext file 
[/Users/macuser/Desktop/test/keys/testkey.json.decrypted]: 
Unable to read file [/Users/macuser/Desktop/test/keys/testkey.json.decrypted]: 
[Errno 2] No such file or directory: 
'/Users/macuser/Desktop/test/keys/testkey.json.decrypted'

The file

/Users/macuser/Desktop/test/keys/testkey.json.decrypted

exists. I tried it with absolute and relative path, and with and without quotes, but I keep getting the same error.

Why is gcloud not seeing the file?

Answer 1

1. Ensure the user that is calling the encrypt and decrypt methods has the cloudkms.cryptoKeyVersions.useToEncrypt and cloudkms.cryptoKeyVersions.useToDecrypt permissions on the key used to encrypt or decrypt.

One way to permit a user to encrypt or decrypt is to add the user to the roles/cloudkms.cryptoKeyEncrypter, roles/cloudkms.cryptoKeyDecrypter, or roles/cloudkms.cryptoKeyEncrypterDecrypter IAM roles for that key.

2. To use Cloud KMS on the command line, first Install or upgrade to the latest version of Cloud SDK.

gcloud kms encrypt \
    --key key \
    --keyring key-ring \
    --location location  \
    --plaintext-file file-with-data-to-encrypt \
    --ciphertext-file file-to-store-encrypted-data

• Replace key with the name of the key to use for encryption.
• Replace key-ring with the name of the key ring where the key is located.
• Replace location with the Cloud KMS location the key ring.
• Replace file-with-data-to-encrypt and file-to-store-encrypted-data with the local file paths for reading the plaintext data and saving the encrypted output.