What do I do if encrypted configurations cannot be used? - Microservices Engine

This topic describes how to troubleshoot the issue that encrypted configurations cannot be used.

Problem description

If you cannot release an encrypted configuration in the following scenarios, you can resolve the issue based on the solutions that are described in this topic:

A business application is developed based on Spring Cloud Alibaba and encrypted and decrypted configurations. The business application fails to be started.
A business application is developed based on the native Nacos SDK for Java and encrypted and decrypted configurations. The encrypted and decrypted configurations fail to be released or queried.
A business application is developed based on the Nacos SDK for a non-Java programming language such as the Nacos SDK for Go or Nacos SDK for Node.js. The encrypted and decrypted configurations cannot be used.
An error is reported when encrypted and decrypted configurations are released in the MSE console.

Possible causes

An issue related to network connections or special characters may occur. For more information about how to resolve the issue, see What do I do if configurations fail to be released by using the Nacos client?.

If the issue persists, you can obtain an appropriate solution based on the following information.

Spring Cloud Alibaba
If you develop a business application based on Spring Cloud Alibaba and encrypted and decrypted configurations and the business application cannot be started, the issue may be caused by the following reasons:
- The dataId, groupId, and tenantId parameters of the business application cannot be mapped to the encryption and decryption parameters in MSE.
- The dependency of the encryption and decryption plug-in is not contained in your business repository. For more information, go to the repository of the encryption and decryption plug-in.
- The Key Management Service (KMS) service is not activated.
- Authentication fails. The related permissions are not granted.
Native Nacos SDK for Java
If you develop a business application based on the native Nacos SDK for Java and encrypted and decrypted configurations and the business application cannot be started, the issue may be caused by the following reasons:
- The dataId, groupId, and tenantId parameters of the business application cannot be mapped to the encryption and decryption parameters in MSE.
- The dependency of the encryption and decryption plug-in is not contained in your business repository. For more information, go to the repository of the encryption and decryption plug-in.
- The KMS service is not activated on the Alibaba Cloud product page.
- Authentication fails. The related permissions are not granted.
Nacos SDK for a non-Java programming language
If you develop a business application based on the Nacos SDK for a non-Java programming language such as the Nacos SDK for Go or Nacos SDK for Node.js and the encrypted and decrypted configurations cannot be used, the issue may be caused by the following reasons:
- The Nacos SDK for a non-Java programming language does not allow you to release or query the encrypted and decrypted configurations.
- The dataId, groupId, and tenantId parameters of the business application cannot be mapped to the encryption and decryption parameters in MSE.
- The KMS service is not activated on the Alibaba Cloud product page.
- Authentication fails. The related permissions are not granted.
MSE console
If an error message is displayed when you release the encrypted and decrypted configurations in the MSE console, the issue may be caused by the following reasons:
- The configuration content contains special characters. For more information about how to resolve the issue, see What do I do if configurations fail to be released by using the Nacos client?.
- The KMS service is not activated on the Alibaba Cloud product page.
- Authentication fails. The related permissions are not granted.

Solutions

Check whether issues related to network connections or special characters occur. For more information about how to resolve the issues, see What do I do if configurations fail to be released by using the Nacos client?.

Then, log on to the Alibaba Cloud KMS console and check whether the KMS service is activated.

If the issue persists, you can obtain an appropriate solution based on the following information.

Spring Cloud Alibaba

If you develop a business application based on Spring Cloud Alibaba or the native Nacos SDK for Java, check the detailed error information in the config.log file in the ${user_home}/logs/nacos directory.

If the HTTP status code 403 is found in the log file, the related permissions are not granted. To resolve the issue, grant the related permissions to your RAM user. For more information, see Grant permissions to access Nacos instances based on an SDK.
If keywords such as dataId, groupId, tenant, and namespaceId in logs are inconsistent with those in the MSE console, release the configurations in the MSE console. You can also call the ConfigService.publishConfig API operation to release the configurations.
If the issue persists, use a demo project for debugging.

Native Nacos SDK for Go

If you develop a business application based on the Nacos SDK for Go, use a demo project for debugging. For more information, go to the encryption and decryption demo repository for the Nacos SDK for Go.

Nacos SDK for a non-Java programming language

Non-Java APIs, except for the Go API, do not support encrypted and decrypted configurations. If you want to contribute solutions that are related to the preceding issues, you can visit GitHub to find the engineering code and make contributions.

MSE console

If you fail to release the encrypted and decrypted configurations in the MSE console, check whether the configuration size exceeds 50 KB. If the configuration size exceeds 50 KB, the encrypted and decrypted configurations may cause instability issues. To prevent these issues, split the encrypted and decrypted configurations into pieces.