{"id":"cmek-service-agent-encrypts-not-end-user","text":"Each project's service agent performs CMEK encrypt/decrypt operations; end users do not need the CryptoKey Encrypter/Decrypter role to access CMEK-protected resources.","truth_value":"IN","source":"entries/2026/03/11/kms-cmek.md","source_url":"","source_hash":"a934d829cc4a501b","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"cmek-service-agent-encrypts-not-end-user","truth_value":"IN","reason":"premise"}]}}