This topic provides answers to some frequently asked questions when an application accesses Key Management Service (KMS) by using an SDK.
Questions
- Why does the "Forbidden.KeyNotFound" error message appear when a key is accessed?
- Why does the "no such host" or "not known" error message appear when a KMS instance is accessed?
- Why does the "This operation for key-xxxxxx is forbidden by permission system" error message appear when a secret value is retrieved?
- Why does the "UnsupportedOperation" error message appear when an operation is called?
- Can I use the secrets management feature of KMS in an Android system?
- Why am I unable to access the endpoint of my KMS instance?
Why does the "Forbidden.KeyNotFound" error message appear when a key is accessed?
The error message appears because you specify an invalid region, key ID, or key alias.
Make sure that the region, key ID, and key alias that are specified for decryption are the same as those specified for encryption.
Why does the "no such host" or "not known" error message appear when a KMS instance is accessed?
Problem description
kst-xxx.cryptoservice.kms.aliyuncs.com: no such hostis returned when your application accesses a KMS instance by using KMS Instance SDK for Go.kst-xxx.cryptoservice.kms.aliyuncs.com: nodename nor servname provided, or not knownis returned when your application accesses a KMS instance by using KMS Instance SDK for Java.
Cause
After you purchase a KMS instance, you can exclusively use the key management and secrets management features that are provided by the KMS instance. The KMS instance can be accessed only from a virtual private cloud (VPC) that is associated with the instance.
Solution
- If the VPC in which the application resides and the KMS instance are in the same region, associate the VPC with the KMS instance. For more information, see Configure multiple VPCs to associate with the same KMS instance.
For more information about how to check the VPCs that are associated with a KMS instance, see View the details of a KMS instance.
- If the VPC in which the application resides and the KMS instance are in different regions, establish a connection between the VPC in which the application resides and the VPC in which the KMS instance resides.
Why does the "This operation for key-xxxxxx is forbidden by permission system" error message appear when a secret value is retrieved?
Problem description
The This operation for key-xxxxxx is forbidden by permission system error message appears when an application calls the GetSecretValue operation to retrieve a value of a secret.
Cause
The application does not have the CryptoServiceKeyUser permission that allows the decryption of secret values by using a specific key.
When you create a secret, you must select a key that belongs to the same KMS instance as the secret. The key is used to encrypt the values of the secret. When an application retrieves a value of a secret from KMS, the key that is selected for the secret is required to decrypt the value of the secret. The application must have the permissions to use the secret and the key.
Solution
Modify the policy for the application access point (AAP) of the application to grant the required permissions to the application.
- Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, click Applications.
- Click the name of the AAP to go to the details page of the AAP.
- In the Permissions section, click Edit in the Actions column. Then, configure the parameters based on the following descriptions and click Update.
- RBAC Permissions: Select CryptoServiceKeyUser.
- Accessible Resources: Click the
icon next to Selected Resources and add a key resource in the key/Key ID format. Example: key/key-hzz6xxxxxx.
Why does the "UnsupportedOperation" error message appear when an operation is called?
| Possible cause | Solution |
|---|---|
| Classic KMS SDK is used to call a key of your KMS instance to perform cryptographic operations. | Use KMS Instance SDK. For more information, see KMS Instance SDK. |
| A service key is used to call the Encrypt, Decrypt, or GenerateDataKey operation. | Service keys are created and managed by cloud services. You must use a customer master key (CMK). |
| Asymmetric Rivest–Shamir–Adleman (RSA) and Elliptic curve cryptography (ECC) CMKs are used to call the GenerateDataKey operation. | Use symmetric Advanced Encryption Standard (AES) CMKs whose usage is set to ENCRYPT/DECRYPT. |
| Symmetric AES CMKs are used to call the Sign or Verify operation. | Use asymmetric RSA or ECC CMKs whose usage is set to SIGN/VERIFY. |
Can I use the secrets management feature of KMS in an Android system?
No, you cannot use the secrets management feature in an Android system.
Why am I unable to access the endpoint of my KMS instance?
This is because HTTPS is not enabled when you use an SDK to access KMS.
To ensure data security, KMS supports only HTTPS. We recommend that you run the following code to enable HTTPS when you use an SDK to access KMS:
req.setProtocol(ProtocolType.HTTPS);