When a KMS API request fails, KMS returns an HTTP status code and error details in the response body. The error details are encoded in Protocol Buffers format:
message Error {
int32 StatusCode = 1;
string ErrorCode = 2;
string ErrorMessage = 3;
string RequestId = 4;
}
The error codes below apply to most KMS operations. Some operations return additional error codes described in their individual API reference topics.
400 Bad request
| Error code | Error message | What it means and how to fix it |
|---|
InvalidApiName | The ApiName "\<apiname\>" is invalid. | The API name in the request is not recognized. Check the API name and correct it. |
InvalidApiVersion | The ApiVersion "\<apiversion value\>" is invalid. | The x-kms-apiversion header field is missing from the request. Add it to the request header. |
InvalidParam | The Param Date is invalid. | The Date header value does not comply with RFC 1123. Update the Date header to use an RFC 1123-compliant value. |
InvalidParam | The Param x-kms-signaturemethod is invalid. | The x-kms-signaturemethod header field is missing from the request. Add it to the request header. |
InvalidParam | The Param x-kms-signaturemethod is invalid. message:"\<signaturemethod value\>". | The signature method specified in x-kms-signaturemethod is not supported. Use a supported signature method. |
MissingParameter | Parameter x-kms-acccesskeyid does not exist in http header or body. | No AccessKey ID was found in the Authorization header. Add your AccessKey ID to the Authorization header. If you are using Alibaba Cloud SDKs, make sure you are using the KMS Instance SDK. |
RequestTimeTooSkewed | Request time exceeds server time more than 15 minutes. | The request timestamp differs from the server time by more than 15 minutes. Sync your server clock and retry. |
InvalidParameter | The specified parameter is not valid. | A parameter value is invalid. Check the parameter value and correct it. |
UnsupportedOperation | Rejected.UnsupportedOperation | The requested operation is not supported. For details, see Application access FAQ. |
401 Unauthorized
| Error code | Error message | What it means and how to fix it |
|---|
SignatureNotMatch | Signature is not matched. | The client signature does not match the server-calculated signature. Use a valid client key and retry. |
403 Forbidden
| Error code | Error message | What it means and how to fix it |
|---|
Forbidden.NoPermission | This operation for "\<parameter name\>" is forbidden by permission system. | Your application access point (AAP) does not have permission to perform this operation. Check the AAP permission policies. For instructions, see Create an AAP. |
404 Not found
| Error code | Error message | What it means and how to fix it |
|---|
Forbidden.KeyNotFound | The Key ID or Alias does not exist in the system. | The specified key does not exist. Check the key ID or alias and retry. |
Forbidden.KeyNotFound | The Key ID or Alias does not exist in the key store "\<parameter name\>". | The specified key does not exist in the given key store. Verify the key store name and the key ID or alias. |
Forbidden.KeyNotFound | The specified key does not exist. | The specified key does not exist. Check the key ID or alias and retry. |
Unauthorized | The AccessKey ID "\<accessKeyId\>" does not exist in our records. | The AccessKey ID was not found. The AccessKey ID is the KeyId value in your AAP. Check your client key. For instructions, see Create an AAP. |
409 Conflict
These errors occur when the key is in a state that does not allow the requested operation.
| Error code | Error message | Key state | What it means and how to fix it |
|---|
Rejected.PendingDeletion | The request was rejected because the key state is PendingDeletion. | PendingDeletion | The key is scheduled for deletion. Cancel the deletion or use a different key. |
Rejected.Disabled | The request was rejected because the key state is Disabled. | Disabled | The key is disabled. Re-enable the key before using it. |
Rejected.PendingImport | The request was rejected because the key state is PendingImport. | PendingImport | The key is awaiting key material import. Complete the import or use a different key. |
413 Request entity too large
After all request parameters are encoded in Protocol Buffers format, the request body exceeds 3 MB.
To avoid this error:
Encryption and decryption: Keep payloads under 6 KB for symmetric key operations and under 1 KB for asymmetric key operations. For larger data, use envelope encryption instead.
Signing and verification: For large messages, generate a digest of the message locally, then call the Sign or Verify operation with the digest.
415 Unsupported media type
| Error code | Error message | What it means and how to fix it |
|---|
InvalidContentType | Content-Type "\<type\>" is unsupported. | The Content-Type header value is not supported. Use the correct content type for the request. |
500 Internal server error
| Error code | Error message | What it means and how to fix it |
|---|
InternalFailure | Internal Failure. | An internal error occurred. Contact Alibaba Cloud technical support. For details, see Contact us. |
503 Service unavailable
| Error code | Error message | What it means and how to fix it |
|---|
ServiceUnavailableTemporary | Service Unavailable Temporary. | The service is temporarily unavailable. Try again later. |