Unable to create Google compute instance using customer managed encrypted key(CMEK)

Terraform Providers Google
1 
HI I am using the below terraform resources to create a google compute instance with Customer Managed Encrypted keys using Google KMS and i am getting permission denied error
    
    Error: Error creating instance: googleapi: Error 400: Cloud KMS error when using key projects/formal-wonder-394711/locations/europe-west2/keyRings/my-key-ridha/cryptoKeys/my-crypto-key: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/formal-wonder-394711/locations/europe-west2/keyRings/my-key-ridha/cryptoKeys/my-crypto-key' (or it may not exist)., kmsPermissionDenied
 
Enabling Google cloudkms Api

**resource "google_project_service" "my-project-test" {
  project                    = "formal-wonder-394711"
  service                    = "cloudkms.googleapis.com"
  disable_on_destroy         = false
  disable_dependent_services = false
}

Creating a VPC:

resource "google_compute_network" "vpc2" {
  name                    = "my-vpc2"
  auto_create_subnetworks = "false"

}

Creating a subnet:

resource "google_compute_subnetwork" "network-subnet2" {
  name          = "network-subnet2"
  ip_cidr_range = "10.255.196.0/24"
  region        = "europe-west2"
  network       = google_compute_network.vpc2.id
}

Creating a VM:

resource "google_compute_instance" "myvm" {
  name         = "my-test-vm"
  machine_type = "e2-small"
  zone         = "europe-west2-a"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
    kms_key_self_link = google_kms_crypto_key.my-crypto-key.id

  }
  network_interface {
    network    = google_compute_network.vpc2.id
    subnetwork = google_compute_subnetwork.network-subnet2.id
  }
  depends_on = [
    google_compute_network.vpc2,
    google_compute_subnetwork.network-subnet2
  ]
}

Creating a Kms KeyRing:

resource "google_kms_key_ring" "my-key-ring" {
  name     = "my-key-ridha"
  location = "europe-west2"
}

Creating a crypto key:

resource "google_kms_crypto_key" "my-crypto-key" {
  name                       = "my-crypto-key"
  key_ring                   = google_kms_key_ring.my-key-ring.id
  rotation_period            = "7776000s"
  destroy_scheduled_duration = "2592000s"
  purpose                    = "ENCRYPT_DECRYPT"
  lifecycle {
    prevent_destroy = false
  }
  version_template {
    algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION"
    protection_level = "HSM"
  }
  depends_on = [google_kms_key_ring.my-key-ring]
}

Creating a resource to bind a role to SA:

resource "google_kms_crypto_key_iam_binding" "my-key-binding" {
  provider      = google-beta
  crypto_key_id = google_kms_crypto_key.my-crypto-key.id
  role          = "roles/cloudkms.admin"
  members = [
    "serviceAccount:terraform-service@formal-wonder-394711.iam.gserviceaccount.com"
  ]
  depends_on = [ google_kms_crypto_key.my-crypto-key ]
}**