Pulumi not using service account even though I set it as in official tutorial

I have set my GCP service account keys as instructed in this tutorial:

pulumi --config-file stacks/Pulumi.dev-core.yaml \   -s dev-core config \   set gcp:credentials ./stacks/dec.sa-pulumi-dev-keys.json    

This maps to a service account with GCP role Cloud KMS CryptoKey Encrypter/Decrypter,which should allow me to set secrets using KMS, example:

pulumi config set --path stack:data.test-foo-bar --secret “testvalue” --config-file stacks/Pulumi.dev-core.yaml

but I get error:

error: secrets (code=PermissionDenied): rpc error: code = PermissionDenied desc = Permission 'cloudkms.cryptoKeyVersions.useToDecrypt'denied on resource 'projects/example/locations/global/keyRings/example/cryptoKeys/my-key'(or it may not exist).

I have double checked the resource path and it does exist in GCP.

Also this is how my config file looks like:

config:  gcp:credentials: ./stacks/dec.sa-dev-pulumi-keys.json # file is gitignored must be downloaded from lastpass  gcp:impersonateServiceAccount: my-sa@example.iam.gserviceaccount.com

If I set service account keys via following command:

export GOOGLE_CREDENTIALS=$(cat stacks/dec.sa-dev-pulumi-keys.json)  

Then I can run set secret command without issues:

# now it workspulumi config set --path stack:data.test-foo-bar --secret “testvalue” --config-file stacks/Pulumi.dev-core.yaml

But doing this is not scalable for multiple stacks and environments. Why doesn't the initial command work?:

pulumi --config-file stacks/Pulumi.dev-core.yaml \   -s dev-core config \   set gcp:credentials ./stacks/dec.sa-pulumi-dev-keys.json