Answer-first summary for fast verification
Answer: The CMEK is in a different region than the Cloud Storage bucket.
The most likely cause is that the CMEK is in a different region than the Cloud Storage bucket. According to Google Cloud documentation, for Cloud Storage with CMEK, the Cloud KMS key ring must be in the same location (region) as the bucket. Here, the key is in europe-west3 while the bucket is in europe-west1, violating this requirement. While cross-project access (option C) could be a factor, it is secondary and can be resolved with proper IAM permissions. The region mismatch is the primary blocker, as confirmed by the community consensus (88% selected D) and official documentation links provided in the discussion. Options A and B are incorrect: firewall rules are not mentioned, and Cloud HSM does support Cloud Storage.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are creating a Cloud Storage bucket in project prj-b that is encrypted with a Customer-Managed Encryption Key (CMEK). The key is stored in Cloud KMS in project prj-a, is backed by a Cloud HSM, and is located in the region europe-west3. The storage bucket is being created in the region europe-west1. You are unable to access the key during bucket creation and need to identify the root cause of the access issue.
What is the most likely cause of the problem?
A
A firewall rule prevents the key from being accessible.
B
Cloud HSM does not support Cloud Storage.
C
The CMEK is in a different project than the Cloud Storage bucket.
D
The CMEK is in a different region than the Cloud Storage bucket.
No comments yet.