update compute disk documentation (#2801)

Merged PR #2801.
GoogleCloudPlatform · Dec 9, 2019 · f71ae3c · f71ae3c
1 parent aea8804
commit f71ae3c
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 13 deletions.
diff --git a/build/ansible b/build/ansible
diff --git a/build/inspec b/build/inspec
diff --git a/build/terraform b/build/terraform
diff --git a/build/terraform-beta b/build/terraform-beta
diff --git a/products/compute/api.yaml b/products/compute/api.yaml
@@ -2628,6 +2628,9 @@ objects:
             name: 'kmsKeyName'
             description: |
               The name of the encryption key that is stored in Google Cloud KMS.
+              Your project's Compute Engine System service account
+              (`service-{{PROJECT_NUMBER}}@compute-system.iam.gserviceaccount.com`) must have
+              `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
         input: true
       - !ruby/object:Api::Type::ResourceRef
         name: 'sourceSnapshot'

diff --git a/products/compute/terraform.yaml b/products/compute/terraform.yaml
@@ -408,25 +408,28 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         name: "kmsKeySelfLink"
         description: |
           The self link of the encryption key used to encrypt the disk. Also called KmsKeyName
-          in the cloud console. In order to use this additional
-          IAM permissions need to be set on the Compute Engine Service Agent. See
-          https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys
+          in the cloud console. Your project's Compute Engine System service account
+          (`service-{{PROJECT_NUMBER}}@compute-system.iam.gserviceaccount.com`) must have
+          `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+          See https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys
       sourceSnapshotEncryptionKey.kmsKeyName: !ruby/object:Overrides::Terraform::PropertyOverride
         diff_suppress_func: 'compareSelfLinkRelativePaths'
         name: "kmsKeySelfLink"
         description: |
           The self link of the encryption key used to encrypt the disk. Also called KmsKeyName
-          in the cloud console. In order to use this additional
-          IAM permissions need to be set on the Compute Engine Service Agent. See
-          https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys
+          in the cloud console. Your project's Compute Engine System service account
+          (`service-{{PROJECT_NUMBER}}@compute-system.iam.gserviceaccount.com`) must have
+          `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+          See https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys
       sourceImageEncryptionKey.kmsKeyName: !ruby/object:Overrides::Terraform::PropertyOverride
         diff_suppress_func: 'compareSelfLinkRelativePaths'
         name: "kmsKeySelfLink"
         description: |
           The self link of the encryption key used to encrypt the disk. Also called KmsKeyName
-          in the cloud console. In order to use this additional
-          IAM permissions need to be set on the Compute Engine Service Agent. See
-          https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys
+          in the cloud console. Your project's Compute Engine System service account
+          (`service-{{PROJECT_NUMBER}}@compute-system.iam.gserviceaccount.com`) must have
+          `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+          See https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys
       physicalBlockSizeBytes: !ruby/object:Overrides::Terraform::PropertyOverride
         default_from_api: true
       resourcePolicies: !ruby/object:Overrides::Terraform::PropertyOverride