1. Open the GCP Console and navigate to the Key Management Service (KMS) page.
2. Select the key ring that has cross-account access enabled.
3. Click on the key for which cross-account access is enabled.
4. Click on the “Permissions” tab.
5. Click the “Edit” button at the top of the page.
6. Find the member that has cross-account access and click the “X” to remove it.
7. Click “Save” to save the changes.

​

1. First, you need to identify the KMS keyring and cryptokey that has cross-account access. You can use the following command to list all the KMS keyrings in your GCP project:
   Copy

   Ask AI

   gcloud kms keyrings list
   

   Once you have identified the keyring, you can list all the cryptokeys in that keyring using the following command:
   Copy

   Ask AI

   gcloud kms keys list --keyring=<keyring-name>
   

   Identify the cryptokey that has cross-account access.
2. Once you have identified the cryptokey, you can remove the cross-account access by updating the IAM policy for that cryptokey. You can use the following command to remove all the members from the IAM policy for that cryptokey:
   Copy

   Ask AI

   gcloud kms keys set-iam-policy <key-name> /dev/null
   

   This command sets the IAM policy for the cryptokey to an empty policy, which effectively removes all the members from the policy.
3. Finally, you can verify that the cross-account access has been removed by listing the IAM policy for the cryptokey using the following command:
   Copy

   Ask AI

   gcloud kms keys get-iam-policy <key-name>
   

   This command should return an empty policy, indicating that there are no members with access to the cryptokey.

1. First, you need to identify the KMS key that has cross-account access enabled. You can use the following command to list all the KMS keys in your project:

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()
parent = client.key_ring_path(project_id, location_id, key_ring_id)

response = client.list_crypto_keys(parent)

for crypto_key in response:
    print(crypto_key.name)

2. Once you have identified the KMS key, you can disable cross-account access by updating the IAM policy of the KMS key. You can use the following code to update the IAM policy:

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()
resource = client.crypto_key_path(project_id, location_id, key_ring_id, crypto_key_id)

policy = client.get_iam_policy(resource)

for binding in policy.bindings:
    if binding.role == 'roles/cloudkms.cryptoKeyEncrypterDecrypter':
        binding.condition = None
        binding.members = [f'serviceAccount:{project_number}[email protected]']

updated_policy = client.set_iam_policy(resource, policy)

3. Finally, you can verify that cross-account access has been disabled for the KMS key by running the following command:

from google.cloud import kms_v1

client = kms_v1.KeyManagementServiceClient()
resource = client.crypto_key_path(project_id, location_id, key_ring_id, crypto_key_id)

policy = client.get_iam_policy(resource)

for binding in policy.bindings:
    if binding.role == 'roles/cloudkms.cryptoKeyEncrypterDecrypter' and binding.condition:
        print('Cross-account access is still enabled')
    else:
        print('Cross-account access has been disabled')