This topic provides answers to some frequently asked questions about application access to a Key Management Service (KMS) instance over an SDK.
Questions
What do I do if the "no such host" or "not known" error is reported when I access a KMS instance?
What do I do if the "Forbidden.KeyNotFound" error is reported when I access or use a key?
What do I do if the "UnsupportedOperation" error is reported when I call an API operation of KMS?
What do I do if the endpoint of a KMS instance cannot be resolved?
When an application accesses a KMS instance, an HTTP 413 status code is reported. What do I do?
Can I use the secret management feature of KMS in an Android system?
What do I do if the "no such host" or "not known" error is reported when I access a KMS instance?
Problem description
The
kst-xxx.cryptoservice.kms.aliyuncs.com: no such hosterror is reported when an application accesses a KMS instance by using KMS Instance SDK for Go.The
kst-xxx.cryptoservice.kms.aliyuncs.com: nodename nor servname provided, or not knownerror is reported when an application accesses a KMS instance by using KMS Instance SDK for Java.
Cause
After you purchase a KMS instance, you can exclusively use the key management and secret management features that are provided by the KMS instance. The KMS instance can be accessed only from a virtual private cloud (VPC) that is associated with the instance.
Solution
If the VPC in which the application resides and the KMS instance are in the same region, associate the VPC with the KMS instance. For more information, see Access a KMS instance from multiple VPCs in the same region.
For more information about the VPCs that are associated with a KMS instance, see Manage KMS instances.
If the VPC in which the application resides and the KMS instance are in different regions, establish a connection between the VPC in which the application resides and the VPC in which the KMS instance resides.
What do I do if the "Forbidden.NoPermission" error is reported when I use an AAP to access a KMS instance?
Problem description
The Forbidden.NoPermission : This operation is forbidden by permission system. error is reported or included in SDK error information when I access a KMS instance.
Solution
You do not have the required permissions to use keys or secrets. To obtain the required permissions, specify valid values for the RBAC Permissions and Accessible Resources parameters when you create a permission policy. For more information, see Create an AAP.
What do I do if the "This operation for key-xxxxxx is forbidden by permission system" error is reported when I retrieve a secret?
Problem description
The This operation for key-xxxxxx is forbidden by permission system error is reported or included in SDK error information when I retrieve a secret.
The following figure shows an example of the error information for KMS Instance SDK for Java.
Cause
The application does not have permissions to decrypt data by using the key.
When you create a secret, you must select a key to encrypt the secret value. The secret and the key must belong to the same KMS instance. When an application retrieves a secret from KMS, the application must use the selected key to decrypt the secret value. The application must have the permissions to use the secret and the key.
Solution
Scenario 1: Access KMS by using a client key of an AAP
Modify the permission policy of the application access point (AAP) to grant the required permissions to the application.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Applications.
Click the name of the AAP to go to the Details page of the AAP.
Find the permission policy and click Edit in the Actions column. In the Modify Permission Policy panel, configure the parameters based on the following descriptions and click Update.
RBAC Permissions: Select CryptoServiceKeyUser.
Accessible Resources: In the Available Resources section, select the required keys and click the
icon. You can also click the 
icon next to Selected Resources. Then, add a key resource in the key/Key ID format. Example: key/key-hzz6xxxxxx.
Scenario 2: Access KMS by using the AccessKey pair of a RAM user or a RAM role
Configure a Resource Access Management (RAM) policy to grant the application the permissions to decrypt data by using the required key.
Log on to the RAM console.
In the left-side navigation pane, choose .
Find the policy that is attached to your RAM user or RAM role and click the policy name.
On the Policy Document tab, click Modify Policy Document. Then, add the following script to the
Statementfield, click Next to edit policy Information, and then click OK.{ "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "acs:kms:${region}:${account}:key/keyId-example" }For more information about policies, see Use RAM to manage access to KMS resources.
What do I do if the "Forbidden.KeyNotFound" error is reported when I access or use a key?
The error is reported because you specify an invalid region, key ID, or key alias.
Make sure that the region, key ID, and key alias that are specified for decryption are the same as those specified for encryption.
What do I do if the "UnsupportedOperation" error is reported when I call an API operation of KMS?
Cause | Solution |
An application uses Alibaba Cloud SDK to perform cryptographic operations. Keys in a KMS instance are used in the cryptographic operations. | Use KMS Instance SDK. For more information, see KMS Instance SDK. |
When an application calls cryptographic operations such as Encrypt, Decrypt, or GenerateDataKey in an SDK, a service key is used. | Service keys are created and managed by cloud services. We recommend that you use a default key of the customer master key (CMK) type, a software-protected key, or a hardware-protected key. |
When an application calls the GenerateDataKey operation to generate a data key, the Rivest-Shamir-Adleman (RSA) or elliptic-curve cryptography (ECC) asymmetric algorithm is used. | Use the Advanced Encryption Standard (AES) symmetric algorithm and set the key usage to ENCRYPT/DECRYPT. |
When an application calls the Sign or Verify operation, the AES symmetric algorithm is used. | Use the RSA or ECC asymmetric algorithm and set the key usage to SIGN/VERIFY. |
What do I do if the "unable to find valid certification path to requested target" error is reported when I access a KMS instance?
Possible cause 1: An invalid KMS instance is selected when you download the certificate authority (CA) certificate
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Instances.
On the Instances page, click Download below Instance CA Certificate.
In the Instance CA Certificate dialog box, select the ID of the required KMS instance and click Download.
By default, the name of the downloaded CA certificate is in the PrivateKmsCA_kst-******.pem format. Subsequently, the CA certificate is integrated into SDKs and used to check whether the SSL certificate of the selected KMS instance is valid.
Possible cause 2: The version of the SDK installation package is invalid
We recommend that you install the latest version of KMS Instance SDK. The following list provides the links to the open source code repository of KMS Instance SDK in different programming languages:
- Note
The version of the tea installation package must be 1.2.3 or later.
KMS Instance SDK for Python 3 and KMS Instance SDK for Python 2
What do I do if the endpoint of a KMS instance cannot be resolved?
Problem description
Applications cannot access the endpoint of a KMS instance from the VPC in which the KMS instance resides or a VPC that is associated with the KMS instance. For example, when you run the ping kst-hzz62****.cryptoservice.kms.aliyuncs.com command, the endpoint cannot be resolved, and the “cannot resolve" error is reported.
Solution
Check whether the default IP addresses of Domain Name System (DNS) servers such as 100.100.2.136 and 100.100.2.138 are specified in the DNS settings of the server on which the applications are deployed. For more information, see Do I need to modify the DNS settings of the server when I use PrivateZone?.
When an application accesses a KMS instance, the system prompts that the password for the specified client key is invalid. What do I do?
Problem description
When an application accesses a KMS instance by using KMS Instance SDK for Java, the
java.io.IOException: keystore password was incorrecterror is reported.If you access a KMS instance by using KMS Instance SDK for PHP, the
Could not decrypt the privateKey of clientKey, the password is incorrect,or it is not a valid pkcs12error message is reported.If you access a KMS instance by using KMS Instance SDK for Go, the
panic: pkcs12: decryption password incorrecterror message is reported.If you access a KMS instance by using KMS Instance SDK for Python, the
OpenSSL.crypto.Error: [('PKCS12 routines', '', 'mac verify failure')]error message is reported.
Cause
The password for the client key is invalid.
Solution
Check whether the password for the client key meets the format requirements. If the password does not meet the requirements, create a different client key. For more information, see Create a client key.
The password must be 8 to 64 characters in length and contain at least two of the following types of characters: digits, letters, and special characters. The following special characters are supported: ~ ! @ # $ % ^ & * ? _ -.
If you read the password from a file, make sure that the password file is a text file and contains only the password in one line. If the file contains special symbols such as line feeds or tab characters, the file does not meet the password format requirements.
When an application accesses a KMS instance, an HTTP 413 status code is reported. What do I do?
Make sure that the body of a request does not exceed 3 MB in size after all parameters of the request are encoded by using Protocol Buffers. If the request body exceeds the limit, the server rejects the request and returns an HTTP 413 status code.
Encryption and decryption: We recommend that you limit the data size to 6 KB for encryption and decryption by using symmetric keys and 1 KB for encryption and decryption by using asymmetric keys in a single operation. If the limits are exceeded, we recommend that you use envelope encryption.
Signing and verification: If the size of a message to sign is large, we recommend that you locally generate a digest of the message and then call the Sign or Verify operation for signing or verification.
Can I use the secret management feature of KMS in an Android system?
No, you cannot use the secret management feature in an Android system.
What do I do if the endpoint of KMS cannot be accessed?
This is because HTTPS is disabled when you use an SDK to access KMS.
To ensure data security, KMS supports only HTTPS for endpoints. We recommend that you run the following code to enable HTTPS when you use an SDK to access KMS:
req.setProtocol(ProtocolType.HTTPS);