{"id":"kms-admin-role-no-encrypt-decrypt","text":"The `roles/cloudkms.admin` role does NOT grant encrypt or decrypt permissions; separate granular roles exist for encrypt-only, decrypt-only, and combined encrypter-decrypter.","truth_value":"IN","source":"entries/2026/03/11/kms-encryption.md","source_url":"","source_hash":"86869bc11edc7284","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"kms-admin-role-no-encrypt-decrypt","truth_value":"IN","reason":"premise"}]}}