From a550768f0443b81f925c3698e7429330dd709733 Mon Sep 17 00:00:00 2001
From: Megan Bang <mbang@hashicorp.com>
Date: Mon, 9 Dec 2019 11:37:06 -0600
Subject: [PATCH] update compute disk documentation to show required
 permissions to use kms_key_name

---
 products/compute/api.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/products/compute/api.yaml b/products/compute/api.yaml
index 0884d2c2976e..2d5357c271a9 100644
--- a/products/compute/api.yaml
+++ b/products/compute/api.yaml
@@ -2628,6 +2628,9 @@ objects:
             name: 'kmsKeyName'
             description: |
               The name of the encryption key that is stored in Google Cloud KMS.
+              Your project's Compute Engine System service account
+              (`service-{{PROJECT_NUMBER}}@compute-system.iam.gserviceaccount.com`) must have
+              `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
         input: true
       - !ruby/object:Api::Type::ResourceRef
         name: 'sourceSnapshot'