IBM Cloud Docs
错误消息

错误消息

这些错误消息由以下人员创建: Key Protect 并显示在用户界面 (UI) 中。

大多数错误消息都有一个或多个示例 (通常为 curl) 显示请求和响应。

这不是完整的错误消息列表。 某些消息由其他系统 (例如身份和访问管理 (IAM)) 创建,其中错误消息从其他系统 (例如 IAM) 传递到 Key Protect 给用户。

目录

目录按错误消息排序。

某些错误信息不止出现一次,在这种情况下 HTTP 包含在错误信息末尾。

  1. 收藏总数与编号不符...... details
  2. 主体中的数据与所需数据不匹配 ... details
  3. 从承载中提取主题 ... details
  4. 传递了无效的主体数据 ... details
  5. 无效字段错误 ... details
  6. 无法删除密钥…… details
  7. 密钥已删除 ... details
  8. 钥匙不在有效状态 (409) details
  9. 钥匙不在有效状态(422) details
  10. 关键是保护一个或多个云...... details
  11. 密钥元数据已损坏 ... details
  12. 密钥复原已到期 详细信息
  13. KeyCreateImportAccess 实例策略... details
  14. 请求中缺少主体 详细信息
  15. 需要的授权数 ... details
  16. 只能使用单个实例策略 ... details
  17. 只能复原导入的密钥 详细信息
  18. 请求的操作只能通过根密钥(400)完成 details
  19. 请求的操作只能通过根密钥(422)完成 details
  20. 请求的更改不符合配置规则 详情
  21. 签名无效 详细信息
  22. 该操作无法在……上执行。 details
  23. 给定的加密现时标志不匹配 ... details
  24. 导入令牌已到期 详细信息
  25. 无法删除密钥,因为它 ... details
  26. 密钥未启用双重认证,并且 ... details
  27. 最近更新了密钥 详细信息
  28. 提供的密文无效或…… details
  29. 提供的加密现时标志不是 ... details
  30. 查询的资源不属于该服务。 details
  31. 此操作只能由服务人员执行…… details
  32. 不允许对此执行此操作 ... details
  33. 此请求要求密钥版本 ... details
  34. 此根密钥已在 ... 内旋转 details
  35. 此根密钥是使用用户提供的 ... details
  36. 未经授权: 用户没有 ... details

1-集合总数与数字不匹配 ...

消息

收藏总数与资源数量不符

原因码 :COLLECTION_TOTAL_MISMATCH_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

发生此错误的原因是: 已创建 实例策略

metadata.collectionTotal 字段的值与 resources 数组中的资源数不匹配。

create instance policy 请求失败,因为 metadata.collectionTotal 是 2,而 1 (一) 资源是在 resources 数组。

# this request fails because the collectionTotal is 2 and there is 1 (one) resource
$ curl -X PUT \
    "https://us-south.kms.cloud.ibm.com/api/v2/instance/policies?policy=dualAuthDelete" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 2
            },
            "resources": [
                {
                    "policy_type": "dualAuthDelete",
                    "policy_data": {
                        "enabled": false
                    }
                }
            ]
        }'

JSON 响应

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources":[
        {
            "errorMsg": "Bad Request: Instance policy could not be created. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "COLLECTION_TOTAL_MISMATCH_ERR",
                    "message": "Collection total does not match number of resources",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

2-主体中的数据与所需数据不匹配 ...

消息

正文中的数据与查询参数要求的数据不符

原因码 :BODY_QUERY_PARAM_MISMATCH_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

发生此错误的原因是: 已创建 实例策略

查询参数指定了策略 dualAuthDelete, allowedNetwork, 或 allowedIP ),与 第一个 policy_type 不匹配。resources 数组。

create instance policy 请求失败,因为 policy 查询参数 dualAuthDelete 与 resources.policy_type badName 不匹配。

# this request fails because the query parameter does not match the resource
$ curl -X PUT \
    "https://us-south.kms.cloud.ibm.com/api/v2/instance/policies?policy=dualAuthDelete" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "policy_type": "badName",
                    "policy_data": {
                        "enabled": false
                    }
                }
            ]
        }'

JSON 响应

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Instance policy could not be created. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "BODY_QUERY_PARAM_MISMATCH_ERR",
                    "message": "Data in body does not match data required by query parameter",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

3-从不记名中抽取主体 ...

消息

从承载令牌中提取主题失败:请确保传递的承载令牌 正确无误(格式正确),且允许执行 请求的操作

原因码 :BEARER_SUB_EXTRACTION_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

标识和访问管理 (IAM) 访问令牌或格式无效。 如果这是 curl 请求,那么需要使用以下格式设置 authorization 头:

-H "authorization: Bearer $ACCESS_TOKEN"

根据您正在使用的平台 (Linux,Mac,Windows) 或 shell (bash,sh,zsh),您需要注意使用单引号和双引号。 某些系统 不会 解释单引号内的变量。 例如,("Bearer $ACCESS_TOKEN") 不能将 $ACCESS_TOKEN 替换为该值。

请确保指定有效的 IAM 令牌。 如果令牌已到期,您可能需要再次登录。 以下是用于登录和设置访问令牌的几行命令行界面 (CLI) 代码。

# login with single sign on (sso)
$ ibmcloud login --sso

# set the region (-r) and resource group (-g)
$ ibmcloud target -r us-south -g Default

# set the ACCESS_TOKEN environment variable (with Bearer)
$ export ACCESS_TOKEN=`ibmcloud iam oauth-tokens | grep IAM | cut -d \: -f 2 | sed 's/^ *//'`

# show the access token
$ echo $ACCESS_TOKEN

Bearer eyJraWQiOiIyMDIwMDcyNDE4MzEiLCJh...<redacted>...o4qlcKjl9sVqLa8Q

# set the ACCESS_TOKEN environment variable (without Bearer)
$ export ACCESS_TOKEN=`ibmcloud iam oauth-tokens | grep IAM | cut -d ' ' -f 5 | sed 's/^ *//'`

eyJraWQiOiIyMDIwMDcyNDE4MzEiLCJh...<redacted>...o4qlcKjl9sVqLa8Q

4-传递了无效的主体数据 ...

消息

无效的身体数据被传递:请确保传递的数据格式正确, 没有无效字符

原因码 :BAD_BODY_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

此错误的一些示例包括:

  • 创建实例策略

    • 只能创建每个策略中的一个
    • 未提供 resources 部分
    • resources 部分中的无关字段 (请参阅示例 1)
  • 创建密钥

    • 需要一个资源 (请参阅示例 2)
    • 元数据为空 (请参阅示例 3)
    • 键的值为零或为空

示例 1

create instance policy 请求失败,因为资源包含额外的字段 (extra_field)。

# this request fails because there is an extra field in the body
$ curl -X PUT \
    "https://us-south.kms.cloud.ibm.com/api/v2/instance/policies?policy=dualAuthDelete" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "policy_type": "dualAuthDelete",
                    "policy_data": {
                        "enabled": false
                    },
                    "extra_field": "junk data"
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Instance policy could not be created. Please see `reasons` for more details.",
            "reasons":[
                {
                    "code": "BAD_BODY_ERR",
                    "message": "Invalid body data was passed. Please ensure the data passed had valid formatting with no invalid characters: json: unknown field \"extra_field\"",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

示例 2

create key 请求失败,因为存在多个 1 (一个) 资源。

# this request fails because there is more than 1 (one) resource
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.key+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "type": "application/vnd.ibm.kms.key+json",
                    "name": "Root-key-1",
                    "description": "example-key",
                    "extractable": false
                },
                {
                    "type": "application/vnd.ibm.kms.key+json",
                    "name": "Root-key-2",
                    "description": "example-key",
                    "extractable": false
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Key could not be created. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "BAD_BODY_ERR",
                    "message": "Invalid body data was passed. Please ensure the data passed had valid formatting with no invalid characters: Only creation of one key per request is supported",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

示例 3

此创建密钥请求失败,因为 metadata 为空。

# this request fails because the metadata is empty
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json" \
    -d '{
            "metadata": {},
            "resources": [
                {
                    "type": "application/vnd.ibm.kms.key+json",
                    "name": "Root-key-1",
                    "description": "example-key",
                    "extractable": false
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Key could not be created. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "BAD_BODY_ERR",
                    "message": "Invalid body data was passed. Please ensure the data passed had valid formatting with no invalid characters: CollectionMetadata is empty",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

5-无效密钥错误 ...

消息

当打包密钥时,如果在请求中传递了无效明文,那么将显示消息 The field 'plaintext' must be: a base64 encoded key material

解包密钥时,如果传递了无效的密文,那么将显示消息 The field 'ciphertext' must be: the original base64 encoded ciphertext from the wrap operation

HTTP 状态码

400

上下文

用于打包失败的密钥的样本请求:

curl -X POST \
"https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/wrap" \
-H "authorization: Bearer <ACCESS_TOKEN>" \
-H "bluemix-instance: <KP_INSTANCE_ID>" \
-H "application/vnd.ibm.kms.key_action+json" \
-d '{
    "plaintext": "q+x3Qi.../BVb8bPj....vVD;",
}'

响应:

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Wrap with key could not be performed: Please see `reasons` for more details (INVALID_FIELD_ERR)",
            "reasons": [
                {
                    "code": "INVALID_FIELD_ERR",
                    "message": "The field `plaintext` must be: a base64 encoded key material: illegal base64 data at input byte 38",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect",
                    "target": {
                        "type": "field",
                        "name": "plaintext"
                    }
                }
            ]
        }
    ]
}

用于解包失败的密钥的样本请求:

request:

curl -X POST \
"https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/unwrap" \
-H "authorization: Bearer <ACCESS_TOKEN>" \
-H "bluemix-instance: <KP_INSTANCE_ID>" \
-H "application/vnd.ibm.kms.key_action+json" \
-d '{
    "ciphertext": "eyJjaXBoZXJ0ZXh0IjoiUnl...hYTUtNDNmMi05NTc5LWM2NjAzN2EwNjhkNyJ"
}'

响应:

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Unwrap with key could not be performed: Please see 'reasons' for more details (INVALID_FIELD_ERR)",
            "reasons": [
                {
                    "code": "INVALID_FIELD_ERR",
                    "message": "The field 'ciphertext' must be: the original base64 encoded ciphertext from the wrap operation: illegal base64 data at input byte 208",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect",
                    "target": {
                        "type": "field",
                        "name": "ciphertext"
                    }
                }
            ]
        }
    ]
}

6-无法删除密钥 ...

HTTP 状态码

409-冲突

HTTP 409 Conflict 客户端错误响应代码表示客户端请求中的错误可以根据返回的指定原因代码解决。

上下文

此消息在提供特定上下文的消息中返回原因。

消息

原因码 :AUTHORIZATIONS_NOT_MET

无法删除密钥,因为它失败了双重授权请求。 在删除此密钥之前,请确保遵循双重授权过程。 请参阅主题 使用双重授权删除密钥

原因码 :PROTECTED_RESOURCE_ERR

无法删除密钥,因为该密钥具有一个或多个关联资源。 请参阅主题 删除和清除密钥之前的注意事项

原因码 :PREV_KEY_DEL_ERR

无法删除密钥,因为它保护具有保留时间策略的云资源。 在删除此密钥之前,请联系帐户所有者以除去与该密钥关联的每个资源上的保留时间策略。 请参阅主题 删除和清除密钥之前的注意事项

示例响应 1

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Key could not be deleted. Please 'reasons' for more details.",
            "reasons": [
                {
                    "code": "AUTHORIZATIONS_NOT_MET",
                    "message": "The key cannot be deleted because it failed the dual authorization request.",
                    "status": 409,
                    "moreInfo":"https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

示例响应 2

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Key could not be deleted. Please 'reasons' for more details.",
            "reasons": [
                {
                    "code": "PROTECTED_RESOURCE_ERR",
                    "message": "The key cannot be deleted because the key has one or more associated resources.",
                    "status": 409,
                    "moreInfo":"https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

示例响应 3

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Key could not be deleted. Please 'reasons' for more details.",
            "reasons": [
                {
                    "code": "PREV_KEY_DEL_ERR",
                    "message": "The key cannot be deleted because it's protecting a cloud resource that has a retention policy.",
                    "status": 409,
                    "moreInfo":"https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

7-已删除密钥 ...

消息

密钥已被删除:请删除对该密钥的引用

原因码 :KEY_DELETED_ERR

HTTP 状态码

410-Gone

HTTP 410 Gone 客户端错误响应代码表明, 目标资源在源服务器上不再可用,且 这种情况可能永久存在。

如果您不知道此条件是临时的还是永久的,那么应改为使用 404 状态码。

缺省情况下,410 响应可高速缓存。

上下文

delete key 请求失败,因为先前已删除密钥。 不能多次删除密钥。

示例

# delete an existing key
$ ibmcloud kp key delete $KEY_ID -i $KP_INSTANCE_ID

Deleting key: '0c17...<redacted>...5c34', from instance: 'a192...<redacted>...7411'...
OK
Deleted Key
0c17...<redeacted>...5c34

# this request fails because the key was previously deleted
$ curl -X DELETE \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json"
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Gone: Key could not be deleted. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "KEY_DELETED_ERR",
                    "message": "Key has already been deleted. Please delete references to this key.",
                    "status": 410,
                    "moreInfo":"https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

7 - 钥匙不在有效状态

消息

密钥不在有效状态

原因码 :KEY_ACTION_INVALID_STATE_ERR

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

当对密钥执行“操作”时,会发生此错误。 密钥状态 无效。

要考虑的一些操作:

  • 密钥状态必须处于活动状态 (状态值为 1),才能合并,解包,轮换,设置要删除的密钥 (双重认证),取消设置要删除的密钥 (双重认证) 或禁用密钥

  • 当您尝试启用已到期的密钥 (状态值为 3) 或复原已销毁的密钥 (状态值为 5) 时,会发生此错误

示例 1

key disable 请求失败,因为您无法禁用先前已禁用的密钥。

# disable a key the first time
$ ibmcloud kp key disable $KEY_ID -i $KP_INSTANCE_ID

Disabling key: '6933...<redacted>...5dbf', in instance: 'a192...<redacted>...7411'...
OK

# this CLI request fails because the key is deleted a second time
$ ibmcloud key disable $KEY_ID -i $KP_INSTANCE_ID

Disabling key: '69332...<redacted>...5dbf', in instance: 'a192...<redacted>...7411'...
FAILED
kp.Error:
    correlation_id='aca1...<redacted>...66e9',
    msg='Conflict:
        Key is not in active state:
        Key could not be disabled.
        Please see `reasons` for more details.',
    reasons='[KEY_ACTION_INVALID_STATE_ERR:
        Key is not in a valid state -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

# this API request fails because the key is deleted a third time
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/disable" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json"
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: Key is not in active state: Key could not be disabled. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "KEY_ACTION_INVALID_STATE_ERR",
                    "message": "Key is not in a valid state",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

示例 2

key disable 请求失败,因为密钥已到期,并且您正在尝试将密钥状态从“已禁用”(状态值为 3) 更改为“已启用”(状态值为 1)。

以下步骤返回 key has been disabled 错误。

  1. 创建具有到期日期的密钥

  2. 允许到期日期过去

  3. 启用密钥

# on a Mac, add 1 (one) minute to the current time
$ EXPIRE=$(date -u -v+1M "+%Y-%m-%dT%H:%M:%SZ")

$ echo $EXPIRE

# step 1 - create a key with an expiration date
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.key+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "type": "application/vnd.ibm.kms.key+json",
                    "name": "Root-key-1",
                    "description": "example-key",
                    "expirationDate": "'$EXPIRE'",
                    "extractable": false
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.key+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "type": "application/vnd.ibm.kms.key+json",
            "id": "88d649f8-41b8-4426-b52b-45c88953d5b8",
            "name": "Root-key-1",
            "description": "example-key",
            "state": 1,
            "expirationDate": "2020-08-12T23:38:09Z",
            "extractable": false,
            "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:88d649f8-41b8-4426-b52b-45c88953d5b8",
            "imported": false,
            "deleted": false
        }
    ]
}
# capture the key id
$ KEY_ID=88d649f8-41b8-4426-b52b-45c88953d5b8

# step 2 - allow the expiration date to pass by sleeping for 1 (one) minute
$ sleep 60

# step 3 - fails because you cannot enable a key after the expiration date
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/enable" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json"
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: Key is not in suspended state: Key could not be enabled. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code":" KEY_ACTION_INVALID_STATE_ERR",
                    "message": "Key is not in a valid state",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

8 - 钥匙不在有效状态

消息

密钥不在有效状态

原因码 :KEY_INVALID_STATE_ERR

HTTP 状态码

422-不可处理的实体

HTTP422 Unprocessable Entity 响应状态代码表明服务器理解请求实体的内容类型,并且请求实体的语法正确,但是无法处理所包含的指令。

客户机不应在未修改的情况下重复此请求。

上下文

此错误适用于用于“注册”的密钥。

向云资源注册密钥时,密钥状态必须处于活动状态 (状态值为 1)。

注册是根密钥与其他云资源 (例如 Cloud Object Storage (COS) 存储区或 Cloud Databases 部署) 之间的关联。

有关注册的更多信息,请参阅 查看根密钥与加密的 IBM Cloud 资源之间的关联

9 - 关键是保护一个或多个云......

消息

关键是保护一个或多个云资源

原因码 :PROTECTED_RESOURCE_ERR

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

此错误适用于用于“注册”的密钥。

无法删除为云资源注册的密钥,除非 force 选项。

必须使用 force 选项来删除已向其他云资源注册的根密钥。

注册是根密钥与其他云资源 (例如 Cloud Object Storage (COS) 存储区或 Cloud Databases 部署) 之间的关联。

有关注册的更多信息,请参阅 查看根密钥与加密的 IBM Cloud 资源之间的关联

请参阅此说明 以删除向另一个云资源注册的密钥 (请参阅 force 选项)。

# this CLI request fails because the registration was not deleted
$ ibmcloud kp key delete $KEY_ID -i $KP_INSTANCE_ID

Deleting key: 52a9d772-8982-4620-bfb4-b070dd812a0c, from instance: b0d84b32-09d0-4314-8049-da78e3b9ab6f...
FAILED
kp.Error:
    correlation_id='c27b7948-4a1f-4cbd-8770-cb3616888e27',
    msg='Conflict:
        Key could not be deleted.
        Please see "reasons" for more details.',
    reasons='[PROTECTED_RESOURCE_ERR:
        Key is protecting one or more cloud resources -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/docs/key-protect?topic=key-protect-troubleshooting#unable-to-delete-keys]'

# this CLI request succeeds when using the --force option
# the registration between Key Protect and the cloud resource exists
$ ibmcloud kp key delete $KEY_ID -i $KP_INSTANCE_ID --force --output json

{
    "id": "52a9d772-8982-4620-bfb4-b070dd812a0c"
}

10-密钥元数据已损坏 ...

消息

关键元数据已损坏:请删除此关键

原因码 :INCOMPLETE_METADATA_ERR

HTTP 状态码

500 - 内部服务器错误

HTTP 500 Internal Server 服务器错误响应代码表示 服务器遇到意外情况,无法满足 请求。

此错误响应是通用 "catch-all" 响应。 通常,这指示服务器找不到更好的 5xx 错误代码作为响应。 有时,服务器管理员会记录错误响应 (例如 500 状态码),其中包含有关请求的更多详细信息,以防止将来再次发生错误。

上下文

当存在内部错误时,将返回此错误。

如果收到此错误,请联系 IBM 支持

11 - 钥匙恢复已过期

消息

密钥复原已到期

原因码 :KEY_RESTORE_EXPIRED

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

当您尝试复原 30 多天前删除的密钥时,会发生此错误。

12 - KeyCreateImportAccess策略...

消息

KeyCreateImportAccess 实例策略不允许执行此操作

原因码 :KEY_CREATE_IMPORT_ACCESS_ERR

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

已启用 KeyCreateImportAccess 实例策略,并且不允许创建或导入密钥的请求。

例如,实例策略不允许创建标准密钥,并且拒绝了创建标准密钥的请求。

示例

以下步骤将返回此错误。

  1. 启用实例策略并阻止创建标准密钥

  2. 尝试创建标准密钥,但失败

  3. 除去 (禁用) 实例策略,这允许创建标准密钥

  4. 创建成功的标准密钥

# step 1 - enable an instance policy, which prevents creating standard keys
$ curl -X PUT \
    "https://us-south.kms.cloud.ibm.com/api/v2/instance/policies?policy=keyCreateImportAccess" \
    -H "accept: application/vnd.ibm.kms.policy+json" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "policy_type": "keyCreateImportAccess",
                    "policy_data": {
                        "enabled": true,
                        "attributes": {
                            "create_root_key": true,
                            "create_standard_key": false,
                            "import_root_key": true,
                            "import_standard_key": true,
                            "enforce_token": true
                        }
                    }
                }
            ]
        }'

# step 2a - fails when using the ibmcloud CLI
# because the instance policy prevents creating standard keys
$ ibmcloud kp key create my-standard-key --standard-key

FAILED
kp.Error:
    correlation_id='43c45c85-7a1f-478c-b235-49decec8c88f',
    msg='Conflict:
        Key could not be created:
        Please see `reasons` for more details (KEY_CREATE_IMPORT_ACCESS_ERR)',
    reasons='[KEY_CREATE_IMPORT_ACCESS_ERR:
        KeyCreateImportAccess instance policy does not allow this action -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

# step 2b - fails when using the the ibmcloud API
# because the instance policy prevents creating standard keys
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.key+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "type": "application/vnd.ibm.kms.key+json",
                    "name": "my-standard-key",
                    "description": "my-standard-key",
                    "extractable": true
                }
            ]
        }'

ibmcloud API 的 JSON 响应

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: Key could not be created: Please see `reasons` for more details (KEY_CREATE_IMPORT_ACCESS_ERR)",
            "reasons": [
                {
                    "code": "KEY_CREATE_IMPORT_ACCESS_ERR",
                    "message": "KeyCreateImportAccess instance policy does not allow this action",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

步骤 3-4 禁用 keyCreateImportAccess 策略并成功创建标准密钥。

# step 3 - disable the policy, that is, enable creating standard keys
$ curl -X PUT \
    "https://us-south.kms.cloud.ibm.com/api/v2/instance/policies?policy=keyCreateImportAccess" \
    -H "accept: application/vnd.ibm.kms.policy+json" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "policy_type": "keyCreateImportAccess",
                    "policy_data": {
                        "enabled": false
                    }
                }
            ]
        }'

# step 4a - create a standard key using the ibmcloud CLI
$ ibmcloud kp key create my-standard-key --standard-key -o json

{
    "id": "3511e0bc-e32d-40b8-b6c2-96cd651858a4",
    "name": "my-standard-key",
    "type": "application/vnd.ibm.kms.key+json",
    "extractable": true,
    "state": 1,
    "crn": "crn:v1:bluemic:public:kms:us-south:a/819bdf4436ef4c198fdf4f0b81d53116:87fa68d0-fa10-47d0-a201-603949808530:key:3511e0bc-e32d-40b8-b6c2-96cd651858a4",
    "deleted": false
}

# step 4b - create a standard key using the ibmcloud API
curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.key+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "type": "application/vnd.ibm.kms.key+json",
                    "name": "my-standard-key",
                    "description": "my-standard-key",
                    "extractable": true
                }
            ]
        }'

ibmcloud API 的 JSON 响应

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.key+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "type": "application/vnd.ibm.kms.key+json",
            "id": "60d72058-ec53-4d77-b7ef-ba56443e76d5",
            "name": "my-standard-key",
            "description": "my-standard-key",
            "state": 1,
            "extractable": true,
            "crn":"crn:v1:bluemix:public:kms:us-south:a/819bdf4436ef4c198fdf4f0b81d53116:87fa68d0-fa10-47d0-a201-603949808530:key:60d72058-ec53-4d77-b7ef-ba56443e76d5",
            "imported": false,
            "deleted": false
        }
    ]
}

13 - 请求中缺少身体

消息

请求中缺少主体

原因码 :NO_BODY_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

当您“重新打包”或“解包”密钥并且没有主体时,会发生此错误。

示例

以下步骤返回 missing body in request 错误。

  1. 创建根密钥

  2. 创建数据加密密钥 (DEK),这是 plaintext

  3. 使用根密钥合并 DEK,这将创建 ciphertext

  4. 由于缺少主体,请求 失败 解包新密文以显示原始 DEK (明文)

  5. 请求 成功 解包新密文以显示原始 DEK (明文),因为指定了主体

# step 1 - create a root key
$ KEY_ID=$(ibmcloud kp key create example-key -i $KP_INSTANCE_ID --output json | jq -r '.["id"]')

$ echo $KEY_ID

66ffaf5b-86c8-4a50-8a2a-920ae71f86dc

# step 2 - create a random, base64-encoded, 32-byte data encryption key (DEK)
$ PLAINTEXT=$(openssl rand -base64 32)

$ echo $PLAINTEXT

2eLAD3LyD3H2bq8dIDAy0A/lN9DSE/Ne3bwu40CdErs=

# step 3 - wrap the DEK (plaintext key) with the root key, creating the ciphertext
$ CIPHERTEXT=$(ibmcloud kp key wrap $KEY_ID -i $KP_INSTANCE_ID -p $PLAINTEXT --output json | jq -r '.["Ciphertext"]')

$ echo $CIPHERTEXT

eyJjaXBoZXJ0ZXh0IjoiR0VnTFZGSmpK...<redacted>...YWU3MWY4NmRjIn0=

# step 4 - fails to unwrap the ciphertext, which reveals the original DEK
# (plaintext), because there is no body (the -d option)
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/unwrap" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json"

JSON 响应

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Action could not be performed on key. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "NO_BODY_ERR",
                    "message": "Missing body in request",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}
# step 5 - succeeds to unwrap the ciphertext because the request is complete
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/unwrap" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json" \
    -d '{
            "ciphertext": "'$CIPHERTEXT'"
        }'

JSON 响应

{
    "plaintext": "2eLAD3LyD3H2bq8dIDAy0A/lN9DSE/Ne3bwu40CdErs=",
    "keyVersion": {
        "id": "66ffaf5b-86c8-4a50-8a2a-920ae71f86dc"
    }
}

14-需要的授权数量 ...

消息

删除所需的授权数量未达到

原因码 :AUTHORIZATIONS_NOT_MET

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

如果没有来自两个用户的授权,那么无法删除具有 dual authorization policy 的密钥。

示例

这些步骤说明如何创建错误消息。

  1. 创建根密钥

  2. 启用双重授权策略

  3. 列出策略 (验证是否启用了双重授权)

  4. 删除密钥,由于未满足足够的权限来删除密钥,因此 失败

# step 1 - create a root key
$ KEY_ID=$(ibmcloud kp key create example-key -i $KP_INSTANCE_ID --output json | jq -r '.["id"]')

$ echo $KEY_ID

8f97b016-bc31-4e3d-9cd6-a0a1c7caffdb

# step 2 - enable the dual authorization policy
$ ibmcloud kp key policy-update dual-auth-delete $KEY_ID -i $KP_INSTANCE_ID --enable

Setting a rotation interval for key ID: 8f97b016-bc31-4e3d-9cd6-a0a1c7caffdb...
OK

Key ID          8f97b016-bc31-4e3d-9cd6-a0a1c7caffdb
Created By      IBMid-...<redacted>...
Creation Date   2020-08-13T22:33:50Z
Last Updated    2020-08-13T22:33:50Z
Updated By      IBMid-...<redacted>...
Enabled         true

# step 3 - list the policies (verify dual authorization is enabled)
$ ibmcloud kp key policies $KEY_ID -i $KP_INSTANCE_ID --output json

[
    {
        "createdBy": "IBMid-...<redacted>...",
        "creationDate": "2020-08-13T22:33:50Z",
        "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:policy:0b93cd65-8359-4891-9289-8701f4c6ad9c",
        "lastUpdateDate": "2020-08-13T22:33:50Z",
        "updatedBy": "IBMid-...<redacted>...",
        "dualAuthDelete": {
            "enabled": true
        }
    }
]

# step 4 - fails because not enough authorizations are met to delete the key
$ curl -X DELETE \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json"
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: 1 prior authorization(s) are required for deletion: Key could not be deleted. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "AUTHORIZATIONS_NOT_MET",
                    "message": "Number of authorizations required to delete is not met",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

15-只有单个实例策略可能 ...

消息

每个查询参数只能创建一个实例策略:请 传递单个资源对象

原因码 :NUM_COLLECTION_RESOURCE_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

create instance policy 请求失败,因为多次指定了同一策略。

只要每个策略都是唯一的,就可以在请求中指定多个策略。 例如,可以为 dualAuthDelete 和 同一请求中的 allowedIP

示例

由于提供了多个实例策略,因此此请求失败。

# this request fails because the dualAuthDelete policy was specified more than once
$ curl -X PUT \
    "https://us-south.kms.cloud.ibm.com/api/v2/instance/policies?policy=dualAuthDelete" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 2
            },
            "resources": [
                {
                    "policy_type": "dualAuthDelete",
                    "policy_data": {
                        "enabled": false
                    }
                },
                {
                    "policy_type": "dualAuthDelete",
                    "policy_data": {
                        "enabled": false
                    }
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Instance policy could not be created. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "NUM_COLLECTION_RESOURCE_ERR",
                    "message": "Only a single instance policy may be created per query parameter. Please pass single resource object",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

16 - 仅可恢复原装进口钥匙

消息

只能恢复原装钥匙

原因码 :KEY_IMPT_REQ_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

Key Protect 可以复原先前删除的根密钥,这将恢复对其在云中的关联数据的访问权。

作为管理员,您可能需要复原已导入到的根密钥 Key Protect 以访问先前受保护的密钥的数据。

复原密钥时,从 已销毁 中移动密钥 (状态值为 5) 到 活动 (状态值为 1) 密钥状态,然后复原对先前使用该密钥加密的任何数据的访问权。

您可以在删除后 30 天内复原已删除的密钥。 此功能仅适用于使用 key material(也称为 "有效内容") 创建的根密钥。

只能使用带有 -k, --key-material 选项的 kp key create 命令来复原使用 key material 创建的根密钥。 如果 指定 --key-material 选项,那么 无法 复原根密钥。

如果要复原已删除的根密钥,那么 必须 保存 用于创建根密钥的 key material。 如果未提供原始 key material,那么 无法 复原已删除的密钥。

示例

请执行以下步骤以创建 only imported keys may be restored 错误。

  1. 创建没有密钥资料 (有效内容) 的根密钥

  2. 删除密钥

  3. 休眠 30 秒

  4. 创建密钥资料

  5. 复原密钥并提供密钥资料 (有效内容)

# step 1 - create a root key without a key material (payload)
$ KEY_ID=$(ibmcloud kp key create example-key -i $KP_INSTANCE_ID --output json | jq -r '.["id"]')

$ echo $KEY_ID

e631925f-affb-457e-886d-57cb2a5f565b

# step 2 - delete the key
$ ibmcloud kp key delete $KEY_ID -i $KP_INSTANCE_ID

Deleting key: 'e631925f-affb-457e-886d-57cb2a5f565b', from instance: 'a192d603-0b8d-452f-aac3-f9e1f95e7411'...
OK
Deleted Key
e631925f-affb-457e-886d-57cb2a5f565b

# step 3 - sleep 30 seconds
$ sleep 30

# step 4 - create a key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

$ echo $KEY_MATERIAL

lZM/guRnn/VklwRBoNOP/AUdCtpDNSo3+xXXhwrnO7c=

# step 5 - this CLI request fails because you can only restore keys
# that were imported (created with a key material or an import token)
$ ibmcloud kp key restore $KEY_ID -i $KP_INSTANCE_ID --key-material $KEY_MATERIAL

Restoring key: 'e631925f-affb-457e-886d-57cb2a5f565b', in instance: 'a192d603-0b8d-452f-aac3-f9e1f95e7411'...
FAILED
kp.Error:
    correlation_id='6d000f60-47f2-4a49-ba72-f02a8efa2945',
    msg='Bad Request:
        Key could not be restored.
        Please see `reasons` for more details.',
    reasons='[KEY_IMPT_REQ_ERR:
        Only imported keys may be restored. -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

# step 5 - this API request fails because you can only restore keys
# that were imported (created with a key material or an import token)
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/restore" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.key+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "payload": "'$KEY_MATERIAL'"
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Key could not be restored. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "KEY_IMPT_REQ_ERR",
                    "message": "Only imported keys may be restored.",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

17-请求的操作只能完成 ...

消息

请求的操作只能通过根密钥完成

原因码 :KEY_ROOT_REQ_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

许多键“操作”只能在“根”键上执行。 这是只能对根密钥执行的命令的列表。

  • 禁用密钥
  • 启用密钥
  • 复原密钥
  • 轮换密钥
  • 解包密钥
  • 包装密钥

示例

此示例创建“标准”密钥,然后尝试将其禁用。 由于只能禁用“根”密钥,因此此操作失败。

# create a standard key
$ KEY_ID=$(ibmcloud kp key create example-key -i $KP_INSTANCE_ID --output json --standard-key | jq -r '.["id"]')

$ echo $KEY_ID

b2dae7bb-2da5-493e-99d2-a6379e35e58c

# this request fails because a standard key cannot be disabled
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/disable" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json"
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Key could not be disabled. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "KEY_ROOT_REQ_ERR",
                    "message": "Requested action can only be completed with a root key.",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

18-请求的操作只能完成 ...

消息

请求的操作只能通过根密钥完成

原因码 :KEY_ROOT_REQ_REG_ERR

HTTP 状态码

422-不可处理的实体

HTTP422 Unprocessable Entity 响应状态代码表明服务器理解请求实体的内容类型,并且请求实体的语法正确,但是无法处理所包含的指令。

客户机不应在未修改的情况下重复此请求。

上下文

此错误适用于用于“注册”的密钥。 需要 "root" 密钥才能创建注册。 当发生以下错误时,将返回此错误: 发出 create registration API request

注册是根密钥与其他云资源 (例如 Cloud Object Storage (COS) 存储区或 Cloud Databases 部署) 之间的关联。

有关注册的更多信息,请参阅 查看根密钥与加密的 IBM Cloud 资源之间的关联

19-请求的更改不合规 ...

消息

请求的更改不符合配置规则

原因码 :CONFIG_RULE_CONFLICT_ERR

HTTP 状态码

403-已禁止

HTTP 403 Forbidden 客户端错误状态响应代码表明 服务器理解了请求,但拒绝授权。

此状态类似于 401,但在此情况下,重新认证将无差别。 永久禁止访问并将其与应用程序逻辑绑定,例如,对资源的权限不足。

上下文

当实例策略阻止访问资源时,会发生此错误消息。 例如,如果请求源自公共 IP 地址,并且实例策略禁止从公共 IP 地址进行访问,那么您将收到此错误消息。

20 - 签名无效

消息

签名无效

原因码 :INVALID_SIG_EXP_ERR

HTTP 状态码

422-不可处理的实体

HTTP422 Unprocessable Entity 响应状态代码表明服务器理解请求实体的内容类型,并且请求实体的语法正确,但是无法处理所包含的指令。

客户机不应在未修改的情况下重复此请求。

上下文

重新打包密钥时发生错误。

如果收到此错误,请联系 IBM 支持

21-无法对 ... 执行操作

消息

无法使用该密钥执行操作,因为该密钥已过期

原因码 :KEY_EXPIRED_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

在密钥到期后复原已删除的密钥时发生此错误。

示例

key restore 请求失败,因为密钥已删除且密钥已到期。

以下步骤将创建此错误。

  1. 创建密钥材料 (有效内容) 和到期日期

  2. 使用密钥资料和到期日期创建根密钥

  3. 捕获密钥标识

  4. 允许到期日期过去

  5. 删除密钥

  6. 复原密钥,该密钥 失败,因为在到期日期之后无法复原已删除的密钥

# step 1 - create a key material (payload) and an expiration date
#          create an expiration date, on a Mac, add 1 (one) minute to the current time
$ KEY_MATERIAL=$(openssl rand -base64 32)
$ EXPIRE=$(date -u -v+1M "+%Y-%m-%dT%H:%M:%SZ")

# step 2 - Create a root key using the key material and the expiration date
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.key+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "type": "application/vnd.ibm.kms.key+json",
                    "name": "Root-key-1",
                    "payload": "'$KEY_MATERIAL'",
                    "description": "example-key",
                    "expirationDate": "'$EXPIRE'",
                    "extractable": false
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.key+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "type": "application/vnd.ibm.kms.key+json",
            "id": "aa713df1-857c-4c46-be80-3051756280c9",
            "name": "Root-key-1",
            "description": "example-key",
            "state": 1,
            "expirationDate": "2020-08-14T19:33:47Z",
            "extractable": false,
            "crn": "crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:aa713df1-857c-4c46-be80-3051756280c9",
            "imported": true,
            "deleted": false
        }
    ]
}
# step 3 - capture the key id
$ KEY_ID=aa713df1-857c-4c46-be80-3051756280c9

# step 4 - allow the expiration date to pass by sleeping for 1 (one) minute
$ sleep 60

# step 5 - delete the key
$ ibmcloud kp key delete $KEY_ID

Deleting key: 'aa713df1-857c-4c46-be80-3051756280c9', from instance: 'a192d603-0b8d-452f-aac3-f9e1f95e7411'...
OK
Deleted Key
aa713df1-857c-4c46-be80-3051756280c9

# step 6 - fails because you cannot restore a deleted key after the expiration date
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/restore" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.key+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "payload": "'$KEY_MATERIAL'"
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: The key expired on 2020-08-14 19:33:47 +0000 UTC: Key could not be restored. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "KEY_EXPIRED_ERR",
                    "message": "The action could not be performed on the key because the key is expired.",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

22-给定的加密现时标志不匹配 ...

消息

给出的加密随机数与现有记录不匹配:请确保 请求中给出的随机数正确

原因码 :INCORRECT_NONCE_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

此错误消息适用于 restorerotate 密钥接口。

此示例基于 restore 密钥命令,它使用 CLI,因为输出比 API

步骤 1-通过使用导入令牌创建根密钥,然后删除该密钥来设置问题

# create an import token that expires in 15 minutes (900 seconds) and allows 10 retrievals
$ ibmcloud kp import-token create -e 900 -m 10

Created                         Expires                         Max Retrievals   Remaining Retrievals
2020-08-18 19:05:51 +0000 UTC   2020-08-18 19:20:51 +0000 UTC   10               10

# create a random, base64-encoded, 32-byte key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

$ echo $KEY_MATERIAL

DL4Avc1yL7DhclfV9Uksvzy8VkYIKWZA9InYQv/iiro=

# extract the nonce that was created by the "kp import-token create" command
$ NONCE=$(ibmcloud kp import-token show | jq -r '.["nonce"]')

$ echo $NONCE

6SB0nQ8ROUCPUiyF

# extract the public key that was created by the "kp import-token create" command
$ PUBLIC_KEY=$(ibmcloud kp import-token show | jq -r '.["payload"]')

$ echo $PUBLIC_KEY

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0t ...<redacted>... QyBLRVktLS0tLQo=

# encrypt the key material using the public key
$ ibmcloud kp import-token key-encrypt -k $KEY_MATERIAL -p $PUBLIC_KEY

Encrypted Key
rATe0oyYy+793MDlxQi2kJxf5BqLbmVY ...<redacted>... gNVJ5oxm7KX94iE=

# capture the encrypted key material
$ ENCRYPTED_KEY=rATe0oyYy+793MDlxQi2kJxf5BqLbmVY ...<redacted>... gNVJ5oxm7KX94iE=

# encrypt the nonce
$ ibmcloud kp import-token nonce-encrypt -k $KEY_MATERIAL -n $NONCE

Encrypted Nonce                            IV
+KjUDFD38r8zlXKJkn+dOR4/xNYN5ozpvKCiIQ==   CSPZwm2qJ5mL00oP

# capture the encrypted nonce and the initialization vector (IV)
$ ENCRYPTED_NONCE=+KjUDFD38r8zlXKJkn+dOR4/xNYN5ozpvKCiIQ==
$ IV=CSPZwm2qJ5mL00oP

# create a root key using an import token, provide an encrypted key, nonce, and initialization vector (IV)
$ KEY_ID=$(ibmcloud kp key create my-imported-root-key -k $ENCRYPTED_KEY -n $ENCRYPTED_NONCE -v $IV --output json | jq -r '.["id"]')

$ echo $KEY_ID

fa0a7d81-a947-4bac-883d-952f6288f0a9

# delete the root key
$ ibmcloud kp key delete $KEY_ID

Deleting key: 'fa0a7d81-a947-4bac-883d-952f6288f0a9', from instance: 'a192d603-0b8d-452f-aac3-f9e1f95e7411'...
OK
Deleted Key
fa0a7d81-a947-4bac-883d-952f6288f0a9

步骤 2-通过创建复原密钥所需的导入令牌来触发错误,然后复原密钥

# NOTE: the "kp key restore" requires an import token to complete the process,
# if you follow this example, the import token created above may still exist and
# the example works; otherwise, if the import token has expired then you need to
# create a new import token prior to restoring the key

# create an import token that expires in 15 minutes (900 seconds) and allows 10 retrievals
$ ibmcloud kp import-token create -e 900 -m 10

Created                         Expires                         Max Retrievals   Remaining Retrievals
2020-08-18 19:12:35 +0000 UTC   2020-08-18 19:27:35 +0000 UTC   10               10

# extract the nonce that was created by the "kp import-token create" command
$ NONCE=$(ibmcloud kp import-token show | jq -r '.["nonce"]')

$ echo $NONCE

N3x8F0ihAZ51nj6M

# extract the public key that was created by the "kp import-token create" command
$ PUBLIC_KEY=$(ibmcloud kp import-token show | jq -r '.["payload"]')

$ echo $PUBLIC_KEY

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0t ...<redacted>... QyBLRVktLS0tLQo=

# encrypt the key material using the public key
$ ibmcloud kp import-token key-encrypt -k $KEY_MATERIAL -p $PUBLIC_KEY

Encrypted Key
qkhpyERrqgU+q6M0ulCyFLP4/uAyTRNJ ...<redacted>... RvVRAyhPP9civbU=

# capture the encrypted key material
$ ENCRYPTED_KEY=qkhpyERrqgU+q6M0ulCyFLP4/uAyTRNJ ...<redacted>... RvVRAyhPP9civbU=

# encrypt the nonce
$ ibmcloud kp import-token nonce-encrypt -k $KEY_MATERIAL -n $NONCE

Encrypted Nonce                            IV
nrrCczvYXvc6T7J2G+EOLjHZO1cpPyu/nhsIlA==   N6oLJnUqaKF3v5Sd

# Normally, you would capture the last encrypted nonce and the initialization
# vector (IV) (from the import token). Then use those new values with the
# "key restore" command.

# To force an error we are using the old (original) encrypted nonce and IV to
# restore the key, which fails because the ENCRYPTED_NONCE does not match the
# value in the import token

# we skipped these steps to force an error
# $ ENCRYPTED_NONCE=nrrCczvYXvc6T7J2G+EOLjHZO1cpPyu/nhsIlA==
# $ IV=N6oLJnUqaKF3v5Sd

# use the CLI to restore the deleted key
# this fails because the ENCRYPTED_NONCE does not match the value in the import token
$ ibmcloud kp key restore $KEY_ID -k $ENCRYPTED_KEY -n $ENCRYPTED_NONCE -v $IV --output json

FAILED
kp.Error:
    correlation_id='a9412941-7986-421d-a67f-b22892e7634d',
    msg='Bad Request:
        Key could not be restored.
        Please see `reasons` for more details.',
    reasons='[INCORRECT_NONCE_ERR:
        The encrypted nonce given does not match existing record,
        please ensure the correct nonce was given in the request -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

23 - 导入令牌已过期

消息

导入令牌已过期

原因码 :IMPORT_TOKEN_EXPIRED_ERR

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

示例 1

使用 API,创建导入令牌,允许其到期,然后尝试检索该令牌。

# create an import token
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/import_token" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/json" \
    -d '{
            "expiration": 300,
            "maxAllowedRetrievals": 2
        }'
JSON 响应
{
    "maxAllowedRetrievals": 2,
    "creationDate": "2020-08-18T19:54:57Z",
    "expirationDate": "2020-08-18T19:59:57Z",
    "remainingRetrievals":2
}
# retrieve the import token after it expires
$ curl -X GET \
    "https://us-south.kms.cloud.ibm.com/api/v2/import_token" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.import_token+json"
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: Import Token could not be retrieved. Please see `reasons` for more details.",
            "reasons":[
                {
                    "code": "IMPORT_TOKEN_EXPIRED_ERR",
                    "message": "The import token has expired.",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

示例 2

使用 CLI 创建导入令牌,允许其到期,然后尝试检索该令牌。

# create an import token that expires in 5 minutes (300 seconds) and allows 2 retrievals
$ ibmcloud kp import-token create -e 300 -m 2

Created                         Expires                         Max Retrievals   Remaining Retrievals
2020-08-18 19:39:06 +0000 UTC   2020-08-18 19:44:06 +0000 UTC   2                2

# sleep 300 seconds, which allows the import token to expire
$ sleep 300

# show the import token
$ ibmcloud kp import-token show

FAILED
kp.Error:
    correlation_id='fb677c6e-9bfa-422e-a14b-0e221bbad32b',
    msg='Conflict:
        Import Token could not be retrieved.
        Please see `reasons` for more details.',
    reasons='[IMPORT_TOKEN_EXPIRED_ERR:
        The import token has expired. -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

24-无法删除密钥,因为它 ...

消息

该密钥无法删除,因为它保护着一个有 保留策略的云资源:在删除该密钥之前,请联系账户所有者, 删除与该密钥关联的每个资源的保留策略

原因码 :PREV_KEY_DEL_ERR

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

删除用于“注册”的密钥时发生此错误。

在大多数情况下,可以使用 --force 删除具有注册的密钥 选项。

如果已注册的资源将 preventKeyDeletion 设置为 true,那么强制删除将失败,并且将显示此错误消息。

换言之,所有注册都必须将 preventKeyDeletion 设置为 false

注册是根密钥与其他云资源 (例如 Cloud Object Storage (COS) 存储区或 Cloud Databases 部署) 之间的关联。

有关注册的更多信息,请参阅 查看根密钥与加密的 IBM Cloud 资源之间的关联

25-密钥未启用双重认证,并且 ...

消息

密钥未启用双重身份验证,无法将其设置为删除状态

原因码 :NOT_DUAL_AUTH_ERR

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

当您尝试授权删除或移除授权并且密钥 具有 dual authorization 策略时,会发生此错误。

这些示例显示了使用 API 和 CLI 时发生的错误。

示例 1

此示例尝试使用 API 授权删除和除去授权。

# create a root key
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.key+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "type": "application/vnd.ibm.kms.key+json",
                    "name": "root-example-key",
                    "description": "root-example-key",
                    "extractable": false
                }
            ]
        }'
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.key+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "type": "application/vnd.ibm.kms.key+json",
            "id": "eb086d96-3b2c-48b5-bf31-c8f0305eea77",
            "name": "root-example-key",
            "description": "root-example-key",
            "state": 1,
            "extractable": false,
            "crn":"crn:v1:bluemix:public:kms:us-south:a/ea998d3389c3473aa0987652b46fb146:a192d603-0b8d-452f-aac3-f9e1f95e7411:key:eb086d96-3b2c-48b5-bf31-c8f0305eea77",
            "imported": false,
            "deleted": false
        }
    ]
}

授权删除具有双重授权策略的密钥。

# set the KEY_ID
$ KEY_ID=eb086d96-3b2c-48b5-bf31-c8f0305eea77

# this request fails because the key DOES NOT have a dual authorization policy
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/setKeyForDeletion" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json"
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: Action could not be performed on key. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "NOT_DUAL_AUTH_ERR",
                    "message":"The key is not dual auth enabled and cannot be set for deletion",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

除去具有双重授权策略的密钥的授权。

# this request fails because the key DOES NOT have a dual authorization policy
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/unsetKeyForDeletion" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json"
JSON 响应
{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: Action could not be performed on key. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "NOT_DUAL_AUTH_ERR",
                    "message": "The key is not dual auth enabled and cannot be set for deletion",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

示例 2

此示例尝试使用 CLI 授权删除和除去授权。

注: 在上一个示例中设置了 $KEY_ID

# this request fails because the key DOES NOT have a dual authorization policy
$ ibmcloud kp key schedule-delete $KEY_ID

Scheduling key for deletion...
FAILED
kp.Error:
    correlation_id='3d941968-c599-43b3-b681-306422079412',
    msg='Conflict:
        Action could not be performed on key.
        Please see `reasons` for more details.',
    reasons='[NOT_DUAL_AUTH_ERR:
        The key is not dual auth enabled and cannot be set for deletion -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

# this request fails because the key DOES NOT have a dual authorization policy
$ ibmcloud kp key cancel-delete $KEY_ID

Cancelling key for deletion...
FAILED
kp.Error:
    correlation_id='5b04a667-573c-44d1-82d5-39730af56a75',
    msg='Conflict:
        Action could not be performed on key.
        Please see `reasons` for more details.',
    reasons='[NOT_DUAL_AUTH_ERR:
        The key is not dual auth enabled and cannot be set for deletion -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

26-最近更新了密钥

消息

密钥最近更新:请稍候,然后重试

原因码 :REQ_TOO_EARLY_ERR

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

当您 enablerestore 在上次操作后 30 秒内键时,会发生此错误。

在上次“操作”与启用或复原密钥之间,必须至少等待 30 秒。

此示例失败,因为在禁用密钥后过早启用了密钥。

# create a root key
$ KEY_ID=$(ibmcloud kp key create example-key -i $KP_INSTANCE_ID --output json | jq -r '.["id"]')

$ echo $KEY_ID

54f53384-b563-4466-860a-c42ce42f7ac9

# disable the key
$ ibmcloud kp key disable $KEY_ID -i $KP_INSTANCE_ID

Disabling key: '54f53384-b563-4466-860a-c42ce42f7ac9', in instance: 'a192d603-0b8d-452f-aac3-f9e1f95e7411'...
OK

# this request fails because the key was enabled too soon
$ ibmcloud kp key enable $KEY_ID -i $KP_INSTANCE_ID

Enabling key: '54f53384-b563-4466-860a-c42ce42f7ac9', in instance: 'a192d603-0b8d-452f-aac3-f9e1f95e7411'...
FAILED
kp.Error:
    correlation_id='59c343a7-c20f-43ea-9e50-da45cecbc8a6',
    msg='Conflict:
        Key could not be enabled.
        Please see `reasons` for more details.',
    reasons='[REQ_TOO_EARLY_ERR:
        The key was updated recently.
        Please wait and try again. -
        FOR_MORE_INFO_REFER: https://cloud.ibm.com/apidocs/key-protect]'

# this request succeeds because the key was disabled at least 30 seconds ago
$ ibmcloud kp key enable $KEY_ID -i $KP_INSTANCE_ID

Enabling key: '54f53384-b563-4466-860a-c42ce42f7ac9', in instance: 'a192d603-0b8d-452f-aac3-f9e1f95e7411'...
OK

27-提供的密文无效或 ...

消息

提供的密文无效或损坏

原因码 :UNPROCESSABLE_CIPHERTEXT_ERR

HTTP 状态码

422-不可处理的实体

HTTP422 Unprocessable Entity 响应状态代码表明服务器理解请求实体的内容类型,并且请求实体的语法正确,但是无法处理所包含的指令。

客户机不应在未修改的情况下重复此请求。

上下文

这通常意味着硬件安全模块 (HSM) 无法处理数据,因为输入无效。

当存在内部错误时,将返回此错误。

如果收到此错误,请联系 IBM 支持

28-提供的加密现时标志不是 ...

消息

提供的加密随机数未使用提供的密钥材料进行加密 或者提供的初始向量与加密随机数不匹配

原因码 :INCORRECT_NONCE_IV_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

这通常意味着硬件安全模块 (HSM) 无法处理数据,因为输入无效。

当存在内部错误时,将返回此错误。

如果收到此错误,请联系 IBM 支持

29 - 查询的资源不属于该服务

消息

查询的资源不属于该服务

原因码 :RESOURCE_OWNER_ERR

HTTP 状态码

403-已禁止

HTTP 403 Forbidden 客户端错误状态响应代码表明 服务器理解了请求,但拒绝授权。

此状态类似于 401,但在此情况下,重新认证将无差别。 永久禁止访问并将其与应用程序逻辑绑定,例如,对资源的权限不足。

上下文

此错误消息发生在服务到服务请求中。 服务尝试删除不允许的密钥。 即,另一个服务无法删除 Key Protect 密钥。

使用服务到服务访问权的一个示例是用户配置 Cloud Object Storage (COS) 存储区以使用 Key Protect 密钥。

使用 COS 示例,COS 无法删除用于加密数据的密钥。

30-此操作只能由服务完成 ...

消息

此操作只能由服务(服务对服务)完成

原因码 :SERVICE_ONLY_ERR

HTTP 状态码

403-已禁止

HTTP 403 Forbidden 客户端错误状态响应代码表明 服务器理解了请求,但拒绝授权。

此状态类似于 401,但在此情况下,重新认证将无差别。 永久禁止访问并将其与应用程序逻辑绑定,例如,对资源的权限不足。

上下文

某些操作 (例如,创建 "注册") 只能由另一个服务 (称为 "服务到服务" 请求) 执行。

例如,如果配置 Cloud Object Storage (COS) 存储区以使用 Key Protect 密钥对数据进行加密,那么 COS 服务需要创建注册。

需要服务到服务请求才能创建,删除,替换或更新注册。

请参阅此资源,了解有关注册的更多信息。

31-不允许对此执行此操作 ...

消息

不允许对此资源执行此操作:请联系 IBM Key Protect 或开具服务凭单以启用此功能

原因码 :FEATURE_RESTRICTED_ERR

HTTP 状态码

403-已禁止

HTTP 403 Forbidden 客户端错误状态响应代码表明 服务器理解了请求,但拒绝授权。

此状态类似于 401,但在此情况下,重新认证将无差别。 永久禁止访问并将其与应用程序逻辑绑定,例如,对资源的权限不足。

上下文

您正在尝试创建,更新或使用具有不受支持的功能的实例策略。

例如,为仅支持 IPv4 地址的 allowedIp 地址范围创建了实例策略。 然后,您向实例发出了请求, IPv6 地址,返回此错误。

32-此请求要求密钥版本 ...

消息

此请求要求密钥版本晚于当前 注册密钥版本

原因码 :KEY_VERSION_INVALID

HTTP 状态码

422-不可处理的实体

HTTP422 Unprocessable Entity 响应状态代码表明服务器理解请求实体的内容类型,并且请求实体的语法正确,但是无法处理所包含的指令。

客户机不应在未修改的情况下重复此请求。

上下文

此错误适用于用于“注册”的密钥。

当服务 (例如 Cloud Object Storage (COS)) 尝试替换或复原密钥时,它会检查密钥的时间戳记。

如果密钥时间戳记小于注册所使用的密钥的时间戳记,那么会发生此错误。

用于购买服务的密钥必须具有等于或大于注册密钥的时间戳记。

注册是根密钥与其他云资源 (例如 Cloud Object Storage (COS) 存储区或 Cloud Databases 部署) 之间的关联。

有关注册的更多信息,请参阅 查看根密钥与加密的 IBM Cloud 资源之间的关联

33-此根密钥已在 ... 内旋转

消息

此根密钥在过去一小时内已轮换: 只有一个“轮换” 允许每小时操作

原因码:KEY_ROTATION_NOT_允许

HTTP 状态码

409-冲突

HTTP 409 Conflict 响应状态代码表示请求与 服务器当前状态冲突。

最有可能发生冲突以响应 PUT 请求。 例如,在上载比服务器上已存在的文件旧的文件时,可能会收到 409 响应,从而导致版本控制冲突。

上下文

根密钥最多可以旋转一次,每小时一次。 尝试在一小时内旋转根密钥将返回此错误消息。

# step 1 - create a root key and provide a key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

$ echo $KEY_MATERIAL

dlYulSKD5cEG/XoAV8vv4QiQe/s3SlBzPY+PKgq92/0=

$ KEY_ID=$(ibmcloud kp key create rotate-example-key -i $KP_INSTANCE_ID --key-material $KEY_MATERIAL --output json | jq -r '.["id"]')

$ echo $KEY_ID

1604b4f3-6ba0-459c-8f65-400ed981a5eb

# step 2 - this request succeeds because there is no time
#          restriction when rotating the key the first time
$ KEY_MATERIAL_NEW_1=$(openssl rand -base64 32)

$ echo $KEY_MATERIAL_NEW_1

rK9CCRHxr8RpVvKQSEvud1zHAPnXl3PvhaPwx2aRxGE=

$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/rotate" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json" \
    -d '{
            "payload": "'$KEY_MATERIAL_NEW_1'"
        }'

# step 3 - this request fails because the key was
#          last rotated less than one hour ago
$ KEY_MATERIAL_NEW_2=$(openssl rand -base64 32)

$ echo $KEY_MATERIAL_NEW_2

pQX+ghaaH/r/s54ICWuwq3jQDPWlHQMDhAV0mwpBf2w=

$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/rotate" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json" \
    -d '{
            "payload": "'$KEY_MATERIAL_NEW_2'"
        }'

JSON 响应

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: Action could not be performed on key: Please see `reasons` for more details (KEY_ROTATION_NOT_PERMITTED)",
            "reasons": [
                {
                    "code": "KEY_ROTATION_NOT_PERMITTED",
                    "message": "This root key has been rotated within the last hour: Only one 'rotate' action per hour is permitted",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect"
                }
            ]
        }
    ]
}

34-此根密钥是使用用户提供的 ...

消息

此根键由用户提供密钥材料创建:执行“旋转”操作需要 密钥材料

原因码 :KEY_PAYLOAD_REQ_ERR

HTTP 状态码

400-错误请求

HTTP400 Bad Request 响应状态代码表示服务器由于某些被认为是客户端错误(例如,格式错误的请求语法、无效的请求消息框架或欺骗性的请求路由)而无法或不会处理请求。

客户机不应在未修改的情况下重复此请求。

上下文

如果使用密钥材料 (有效内容) 创建了根密钥,那么必须指定密钥材料以轮换该密钥。

# step 1 - create a root key and provide a key material
$ KEY_MATERIAL=$(openssl rand -base64 32)

$ echo $KEY_MATERIAL

HpHM2YG9PMLBo4fZmV2WODZTTWlwaKmy496MoCE7w7U=

$ KEY_ID=$(ibmcloud kp key create rotate-example-key -i $KP_INSTANCE_ID --key-material $KEY_MATERIAL --output json | jq -r '.["id"]')

$ echo $KEY_ID

e52ee578-af71-4cd7-ba19-f1a8020d6a10

# step 2 - rotate the key without a new key material
$ curl -X POST \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys/$KEY_ID/actions/rotate" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.key_action+json"

JSON 响应

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Bad Request: Action could not be performed on key: Please see `reasons` for more details (KEY_PAYLOAD_REQ_ERR)",
            "reasons": [
                {
                    "code": "KEY_PAYLOAD_REQ_ERR",
                    "message": "This root key was created with user-supplied key material: Key material is required to perform a 'rotate' action",
                    "status": 400,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect",
                    "target": {
                        "type": "field",
                        "name": "payload"
                    }
                }
            ]
        }
    ]
}

35-未经授权: 用户没有 ...

消息

未经授权:用户无权访问指定资源

原因码 :UNAUTHORIZED_ERR

HTTP 状态码

401 - 未授权

HTTP 401 Unauthorized 客户端错误状态响应代码表明 请求未得到应用,因为缺少 目标资源的有效认证凭证。

此状态随 WWW-Authenticate 头一起发送,其中包含有关如何正确授权的信息。

此状态类似于 403,但在这种情况下,可以进行认证。

上下文

当用户无权访问资源时,将返回此错误消息。

此示例应用限制对 IP 地址范围的访问的实例策略。 当接收到来自允许范围以外的请求时,将返回错误。

# limit  access to a range of IP addresses
$ curl -X PUT \
    "https://us-south.kms.cloud.ibm.com/api/v2/instance/policies?policy=allowedIP" \
    -H "authorization: Bearer $ACCESS_TOKEN" \
    -H "bluemix-instance: $KP_INSTANCE_ID" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "policy_type": "allowedIP",
                    "policy_data": {
                        "enabled": true,
                        "attributes": {
                            "allowed_ip": [
"65.128.226.252/24"
                            ]
                        }
                    }
                }
            ]
        }'

由于请求超出允许的 IP 地址范围,因此检索密钥将失败。

# this fails because the request is outside the allowed range of IP addresses
$ curl -X GET \
    "https://us-south.kms.cloud.ibm.com/api/v2/keys" \
    -H "authorization: Bearer $ACCESS_TOKEN"
    -H "bluemix-instance: $KP_INSTANCE_ID"

JSON 响应

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Unauthorized: The user does not have access to the specified resource"
        }
    ]
}

HTTP 状态码排序

这些是错误消息(按 HTTP 状态码排序)。

HTTP- 请求错误

  • 收藏总数与资源数量不符—— details

  • 正文中的数据与查询参数要求的数据不符 - details

  • 从承载令牌中提取主题失败:请确保传递的 承载令牌是正确的(格式正确),并且允许执行 请求的操作—— details

  • 无效的身体数据被传递:请确保传递的数据格式正确, 没有无效字符—— details

  • 无效字段错误: 如果请求中传递了无效明文,那么将 The field 'plaintext' must be: a base64 encoded key material 换行; 如果传递了无效密文,那么将 The field 'ciphertext' must be: the original base64 encoded ciphertext from the wrap operation 换行。- details

  • 钥匙恢复已过期—— details

  • 请求中缺少身体 - details

  • 每个查询参数只能创建一个实例策略:请传递 单个资源对象—— details

  • 只能恢复原装钥匙—— details

  • 请求的操作只能通过根密钥完成—— details

  • 由于密钥已过期,无法使用该密钥执行操作—— details

  • 给出的加密随机数与现有记录不符:请确保 请求中给出的随机数正确—— details

  • 提供的加密随机数未使用提供的密钥材料进行加密,或者 提供的初始向量与加密随机数不匹配—— details

  • 此根键由用户提供密钥材料创建:执行“旋转”操作需要 密钥材料—— details

HTTP- 未经授权

  • 未经授权:用户无权访问指定资源—— details

HTTP 3 - 禁止访问

  • 请求的更改不符合配置规则 - details

  • 查询的资源不属于该服务 - details

  • 此操作只能通过服务(服务到服务)完成—— details

  • 不允许对此资源执行此操作:请联系 IBM Key Protect 或开具服务凭单以启用此功能 - details

HTTP- 冲突

  • 钥匙不在有效状态—— details

  • 关键是保护一个或多个云资源—— details

  • KeyCreateImportAccess 实例策略不允许执行此操作 - details

  • 删除所需的授权数量未达到 - details

  • 导入令牌已过期 - details

  • 该密钥无法删除,因为它保护着一个有保留策略的云资源 :在删除该密钥之前,请联系账户所有者, 删除与该密钥关联的每个资源的保留策略—— details

  • 密钥未启用双重身份验证,无法删除—— details

  • 密钥最近更新:请稍候,然后重试 - details

  • 该根键在过去一小时中已被旋转:每小时只允许进行一次“旋转”操作 —— details

HTTP- 消失

  • 密钥已被删除:请删除对该密钥的引用—— details

HTTP- 无法处理的实体

  • 钥匙不在有效状态—— details

  • 请求的操作只能通过根密钥完成—— details

  • 签名无效 详细信息

  • 提供的密文无效或损坏—— details

  • 此请求要求密钥版本晚于当前注册 密钥版本—— details

HTTP- 内部服务器错误

  • 关键元数据已损坏:请删除此密钥—— details

按原因码排序

此部分按原因码对错误消息进行排序。