IBM Cloud Docs
Troubleshooting

Troubleshooting

General problems with using IBM® Key Protect for IBM Cloud® might include providing the correct headers or credentials when you interact with the API. In many cases, you can recover from these problems by following a few easy steps.

Unable to create keys

When you access the Key Protect user interface, the option to add a key to the Key Protect instance is disabled.

From the IBM Cloud dashboard, you select your instance of the Key Protect service.

You can see a list of keys, but you're unable to select the option to add a key.

You do not have the correct authorization to perform Key Protect actions.

Verify with an administrator that you are assigned the correct role in the applicable Key Protect instance. For more information about roles, see Roles and permissions.

Unable to authenticate through the API

When you call the Key Protect API, the system returns a 401 Unauthorized error, and you're unable to make the API request.

You call any Key Protect API method. You see an error response similar to the following JSON object:

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Unauthorized: The user does not have access to the specified resource"
        }
    ]
}

You do not have the correct authorization to perform Key Protect actions in the specified service instance.

Verify with an administrator that you are assigned the correct platform and service access roles in the applicable Key Protect instance. For more information about roles, see Roles and permissions.

Unable to view or list keys

When you try to list keys by using the Key Protect API, you're unable to view any keys in a Key Protect instance that you have access to.

You call GET api/v2/keys to list the keys that are available in your service instance. The system returns a response similar to the following JSON object:

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.key+json",
        "collectionTotal": 0
    }
}

You do not have the correct authorization to view the requested range of keys.

Contact an administrator to check your permissions. If the Key Protect instance contains keys that you're unable to view, verify that you're assigned the applicable level of access to keys in the Key Protect instance. If the instance contains more than 200 keys, you need to use the offset and limit parameters to list another subset of keys.

For example, if you want to list keys 201 - 210 that are available in a service instance, you use ../keys?offset=200&limit=10 to skip the first 200 keys.

Unable to view or list specific keys

When you call the Key Protect API, you're unable to list specific keys that you have access to.

You call GET api/v2/keys to list the keys that are available in your service instance.

You can see a list of keys, but you can't find a specific key that's stored in the instance. You verify with your administrator that you're assigned the applicable level of access to the keys that you're unable to view. You also verify with your admin that the key belongs to the Key Protect instance that you're targeting.

The Key Protect instance contains a large number of keys, and the specific keys that you're looking for aren't returned by default when you call GET api/v2/keys to list keys.

Check with an admin to understand the total number of keys that are stored in the instance. By default, GET api/v2/keys returns the first 200 keys. If the Key Protect instance contains more than 200 keys, you need to use the offset and limit parameters to list another subset of keys.

For example, if you want to list keys 201 - 210 that are available in a service instance, you use ../keys?offset=200&limit=10 to skip the first 200 keys.

Unable to delete keys

When you use the Key Protect user interface or REST API, you're unable to delete a key.

From the IBM Cloud dashboard, you select your instance of the Key Protect service.

You're assigned a Manager access policy for the Key Protect instance. You try to delete a key, but the action fails with the following error message.

Conflict: Key could not be deleted. Status: 409, Correlation ID: 160cc463-71d1-4b30-a5f2-d3f7e9f2b75e

You also try to delete the key by using the Key Protect API, but you receive the following error message.

{
    "metadata": {
        "collectionType": "application/vnd.ibm.kms.error+json",
        "collectionTotal": 1
    },
    "resources": [
        {
            "errorMsg": "Conflict: Key could not be deleted. Please see `reasons` for more details.",
            "reasons": [
                {
                    "code": "PROTECTED_RESOURCE_ERR",
                    "message": "Key is protecting one or more cloud resources",
                    "status": 409,
                    "moreInfo": "https://cloud.ibm.com/apidocs/key-protect",
                    "target": {
                        "type": "query_param",
                        "name": "force"
                    }
                }
            ]
        }
    ]
}

This key is actively protecting one or more cloud resources, such as a IBM Cloud® Object Storage bucket or a Cloud Databases deployment.

For your protection, Key Protect prevents the deletion of a key that's actively encrypting data in the cloud. Before you delete a key, review which resources are encrypted by this key and verify with the owner of the resources to ensure you no longer require access to that data.

You can get the current list of resources associated with your key by first synchronizing the key, which might take up to 4 hours. Then, proceed to viewing associations between root keys and encrypted IBM Cloud resources.

After using Sync, associations between the key and other resources will be current and up to date. If there are no associations after using Sync, the key can be deleted normally.

If the associations are still there after Sync:

  • You can use the Key Protect API to force deletion on the key.

  • You can delete the resources associated with the key, and then delete the key normally.

Getting help and support

If you have problems or questions when you are using Key Protect, you can check IBM Cloud, or get help by searching for information or by asking questions through a forum. You can also open a support ticket.

You can check whether IBM Cloud is available by going to the status page.

You can review the forums to see whether other users ran into the same problem. When you are using the forums to ask a question, tag your question so that it is seen by the IBM Cloud development teams.

  • If you have technical questions about Key Protect, post your question on Stack Overflow and tag your question with "ibm-cloud" and "key-protect".

  • For questions about the service and getting started instructions, use the IBM developerWorks dW Answers forum. Include the "ibm-cloud" and "key-protect" tags.

See Asking a question for more details about using the forums.

For more information about opening an IBM support ticket, or about support levels and ticket severities, see Contacting support.