Troubleshoot CMEK error messages

You can use Cloud Key Management Service (Cloud KMS) customer-managed encryption keys (CMEK) to protect Eventarc. The keys are created and managed through Cloud Key Management Service. This page shows you how to resolve issues that you might encounter when using Cloud Key Management Service with Eventarc.

The following table describes different errors and how to resolve them.

Error message Description
Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource $KEY (or it may not exist). Either the provided Cloud KMS key does not exist or the permission is not properly configured.


  • Check that the Cloud KMS key exists. For more information, see Verify Cloud KMS usage.
  • Ensure that the Eventarc service agent has been granted the cloudkms.cryptoKeyEncrypterDecrypter role and has been added as a principal to the Cloud KMS key.
$KEY is not enabled, current state is: DISABLED. The provided Cloud KMS key has been disabled.

Solution: Re-enable the Cloud KMS key.

Key region $REGION must match the resource to be protected. The provided KMS key region is different from the region of the channel.

Solution: Use a Cloud KMS key from the same region. Note: For channels in multi-region eu, you should protect it using a Cloud KMS key in multi-region europe. For more information, see Cloud KMS multi-regional and Eventarc multi-regional locations.

Quota exceeded for limit. Too many Cloud KMS requests and your quota limit has been reached.


  • Limit the number of Cloud KMS calls.
  • Increase the quota limit.
  • For information about quotas, including viewing or requesting additional quotas, see Cloud KMS quotas.

To resolve issues that you might encounter when using externally managed keys through Cloud External Key Manager (Cloud EKM), see Cloud EKM error reference.