Ingestion from GCS buckets using feeds management UI

Hi ​@shivamdev29 , full disclosure, I am using a new tool to provide you with this answer. Can you please double check and validate before implementing anything. And if this works, would love to get your feedback. Thank you!

This is a common issue when ingesting data from sources encrypted with Customer-Managed Encryption Keys (CMEK).

I can clarify that for you. The authorization error you're seeing is almost certainly because the Google SecOps service account lacks the necessary permission to use the encryption key that protects your GCS bucket.

The Two-Permission Requirement for CMEK

When a service needs to read data from a CMEK-encrypted resource like a GCS bucket, it must have two separate permissions:

1. Permission to access the resource itself: This is what the Storage Object Viewer (roles/storage.objectViewer) role provides. You have already done this step correctly.
2. Permission to use the KMS key for decryption: The Storage Object Viewer role does not include the permission to use a KMS key. This is a separate, critical step required to decrypt and read the bucket's content.

The authorization error occurs because the Google SecOps service account is allowed to see the encrypted objects but is being denied permission to decrypt them.

How to Resolve the Authorization Error

To fix this, you must grant the Google SecOps service account the Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter) role on the specific key that is encrypting your GCS bucket.

Here is a step-by-step guide to resolve the issue:

1. Identify the Google SecOps Service Account

First, you need the exact identifier for the service account that Google SecOps is using. You can typically find this within the Google SecOps user interface in the feed configuration settings. It will be a Google-managed service account that follows a format similar to:

service-<project_number>@gcp-sa-chronicle.iam.gserviceaccount.com

2. Grant the Decrypter Role to the Service Account

1. In the Google Cloud Console, navigate to Key Management. You can find this under the Security section.
2. Select the project that contains the CMEK key you are using for the GCS bucket.
3. Click on the name of the key ring that holds the key.
4. In the list of keys, find the specific key that is encrypting your bucket. Click the checkbox next to it.
5. In the permissions panel on the right, click Add Principal.
6. In the New principals field, paste the full service account ID you identified in the previous step.
7. In the Select a role dropdown, search for and select Cloud KMS CryptoKey Decrypter.
8. Click Save.

3. Validate the Feed

After saving the new IAM policy, it may take a few minutes for the permissions to propagate. Go back to your feed configuration in Google SecOps and test the connection again. The authorization error should now be resolved.

A Note on Your VPC Ingress Rules

While adding VPC ingress rules is a good practice for ensuring network connectivity, the specific "authorization error" you are experiencing points directly to an IAM permission issue rather than a network block. Granting the KMS permission is the key to resolving this problem.

You can check the following sources for additional information:

• Remediating Security Health Analytics findings
• Activate the Security Command Center Enterprise tier