This GCP article suggests using two separate projects: one for key management, another for encryption/decryption.

This seems like a setup that works with User roles, but not with Service roles as a Service role is bound to the project it belongs to. Am I missing something?

Is there actually a way to have one role (in, let's say, Project 1), that creates KMS keys, and then have a service role (in, let's say, Project 2) that can access said keys at runtime for decryption?

It's possible! You can add an IAM policy with the principal(member) & resource in different projects.

To grant [email protected] decryption access to a particular key in project1, you can e.g.:

$ KMS_KEY_RESOURCE_NAME=projects/project1/locations/${location}/keyRings/${keyring_name}/cryptoKeys/${crypto_key_name}
$ gcloud kms keys add-iam-policy-binding \
  --location ${location} ${KMS_KEY_RESOURCE_NAME} \
  --member serviceAccount:[email protected] \
  --role roles/cloudkms.cryptoKeyDecrypter

You can also do this by pasting [email protected] directly into the "Add members" textbox under "Permissions" for a KeyRing or Key selected under http://console.cloud.google.com/iam-admin/kms?project=project1