Encryption key requirements
If planning to use encryption, ensure that your Google Cloud configuration meets the following requirements.
When fulfilling Google Cloud’s prerequisites (as described in Protecting resources with cloud KMS keys) and creating encryption keys (as described in Creating key rings and keys) on Google Cloud, ensure that you do the following:
Compute Engine and Cloud KMS must be in the same Google Cloud Platform project (not in two different projects). Furthermore, this must be the same project where you are planning to launch clusters.
Set up API access for Compute Engine.
Enable the Cloud KMS API.
Create the key rings and keys as described in Creating key rings and keys in Google Cloud documentation. Note that your encryption keys must be in the same location (or “region”) where you are planning to launch clusters.
Assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the Compute Engine system service account (