All Products
Search
Document Center

Key Management Service:FAQ about application access

Last Updated:Oct 28, 2024

This topic provides answers to some frequently asked questions when an application accesses a Key Management Service (KMS) instance by using an SDK.

What do I do if the "no such host" or "not known" error is reported when I access a KMS instance?

Problem description

  • When I access a KMS instance by using KMS Instance SDK for Go, the kst-xxx.cryptoservice.kms.aliyuncs.com: no such host error is reported.

  • When I access a KMS instance by using KMS Instance SDK for Java, the kst-xxx.cryptoservice.kms.aliyuncs.com: nodename nor servname provided, or not known error is reported.

Cause

After you purchase a KMS instance, you can exclusively use the key management and secret management features that are provided by the KMS instance. The KMS instance can be accessed only from a virtual private cloud (VPC) that is associated with the instance.

Solution

  • If the VPC in which the application resides and the KMS instance are in the same region, associate the VPC with the KMS instance. For more information, see Access a KMS instance from multiple VPCs in the same region.

    For more information about the VPCs that are associated with a KMS instance, see Manage KMS instances.

  • If the VPC in which the application resides and the KMS instance are in different regions, establish a connection between the VPC in which the application resides and the VPC in which the KMS instance resides.

What do I do if the "Forbidden.NoPermission" error is reported when I use an AAP to access a KMS instance?

Problem description

When I access a KMS instance, the Forbidden.NoPermission : This operation is forbidden by permission system. error is reported or included in SDK error information.

Solution

You do not have the required permissions to use keys or secrets. To obtain the required permissions, specify valid values for the RBAC Permissions and Accessible Resources parameters when you create a permission policy. For more information, see Create an AAP.

What do I do if the "This operation for key-xxxxxx is forbidden by permission system" error is reported when I retrieve a secret?

Problem description

When I retrieve a secret, the This operation for key-xxxxxx is forbidden by permission system error is reported or included in SDK error information.

The following figure shows an example of the error information for KMS Instance SDK for Java.

获取凭据值时报错

Cause

The application does not have permissions to decrypt data by using the key.

When you create a secret, you must select a key to encrypt the secret value. The secret and the key must belong to the same KMS instance. When an application retrieves a secret from KMS, the application must use the selected key to decrypt the secret value. The application must have the permissions to use the secret and the key.

Solution

  • Scenario 1: Access KMS by using a client key of an AAP

    Modify the permission policy of the application access point (AAP) to grant the required permissions to the application.

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Application Access > AAPs.

    2. Click the name of the AAP to go to the Details page of the AAP.

    3. Find the permission policy and click Modify in the Actions column. In the Modify Permission Policy panel, configure the parameters based on the following descriptions and click Update.

      • RBAC Permissions: Select CryptoServiceKeyUser.

      • Accessible Resources: In the Available Resources section, select the required keys and click the image.png icon. You can also click the 加号 icon next to Selected Resources. Then, add a key resource in the key/Key ID format. Example: key/key-hzz6xxxxxx.

  • Scenario 2: Access KMS by using the AccessKey pair of a RAM user or a RAM role

    Configure a Resource Access Management (RAM) policy to grant the application the permissions to decrypt data by using the required key.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Find the policy that is attached to your RAM user or RAM role and click the policy name.

    4. On the Policy Document tab, click Modify Policy Document. Then, add the following script to the Statement field, click Next to edit policy Information, and then click OK.

              {
                  "Effect": "Allow",
                  "Action": "kms:Decrypt",
                  "Resource": "acs:kms:${region}:${account}:key/keyId-example"
              }

      For more information about policies, see Custom policies.

What do I do if the "Forbidden.KeyNotFound" error is reported when I access or use a key?

The error is reported because you specify an invalid region, key ID, or key alias.

Make sure that the region, key ID, and key alias that are specified for decryption are the same as those specified for encryption.

What do I do if the "UnsupportedOperation" error is reported when I call an API operation of KMS?

Possible cause

Solution

An application uses Alibaba Cloud SDK to perform cryptographic operations. Keys in a KMS instance are used in the cryptographic operations.

Use KMS Instance SDK. For more information, see KMS Instance SDK.

When an application calls cryptographic operations such as Encrypt, Decrypt, or GenerateDataKey in an SDK, a service key is used.

Service keys are created and managed by cloud services. We recommend that you use a default key of the customer master key (CMK) type, a software-protected key, or a hardware-protected key.

When an application calls the GenerateDataKey operation to generate a data key, the Rivest-Shamir-Adleman (RSA) or elliptic-curve cryptography (ECC) asymmetric algorithm is used.

Use the Advanced Encryption Standard (AES) symmetric algorithm and set the key usage to ENCRYPT/DECRYPT.

When an application calls the Sign or Verify operation, the AES symmetric algorithm is used.

Use the RSA or ECC asymmetric algorithm and set the key usage to SIGN/VERIFY.

What do I do if the "unable to find valid certification path to requested target" error is reported when I access a KMS instance?

Possible cause 1: An invalid KMS instance is selected when you download the certificate authority (CA) certificate

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. On the Instances page, click Download below Instance CA Certificate.

  3. In the Instance CA Certificate dialog box, select the ID of the required KMS instance and click Download.

    By default, the name of the downloaded CA certificate is in the PrivateKmsCA_kst-******.pem format. Subsequently, the CA certificate is integrated into SDKs and used to check whether the SSL certificate of the selected KMS instance is valid.

Possible cause 2: The version of the SDK installation package is invalid

We recommend that you install the latest version of KMS Instance SDK. The following list provides the links to the open source code repository of KMS Instance SDK in different programming languages:

What do I do if the endpoint of a KMS instance cannot be resolved?

Problem description

Applications cannot access the endpoint of a KMS instance from the VPC in which the KMS instance resides or a VPC that is associated with the KMS instance. For example, when you run the ping kst-hzz62****.cryptoservice.kms.aliyuncs.com command, the endpoint cannot be resolved, and the “cannot resolve" error is reported.

Solution

Check whether the default IP addresses of Domain Name System (DNS) servers such as 100.100.2.136 and 100.100.2.138 are specified in the DNS settings of the server on which the applications are deployed. For more information, see Do I need to modify the DNS settings of the server when I use PrivateZone?

When I access a KMS instance, the system prompts that the password for the specified client key is invalid. What do I do?

Problem description

  • When I access a KMS instance by using KMS Instance SDK for Java, the java.io.IOException: keystore password was incorrect error is reported.

  • When I access a KMS instance by using KMS Instance SDK for PHP, the Could not decrypt the privateKey of clientKey, the password is incorrect,or it is not a valid pkcs12 error is reported.

  • When I access a KMS instance by using KMS Instance SDK for Go, the panic: pkcs12: decryption password incorrect error is reported.

  • When I access a KMS instance by using KMS Instance SDK for Python, the OpenSSL.crypto.Error: [('PKCS12 routines', '', 'mac verify failure')] error is reported.

Cause

The password for the client key is invalid.

Solution

  • Check whether the password for the client key meets the format requirements. If the password does not meet the requirements, create a different client key. For more information, see Create a client key.

    The password must be 8 to 64 characters in length and contain at least two of the following types of characters: digits, letters, and special characters. The following special characters are supported: ~ ! @ # $ % ^ & * ? _ -.

  • If you read the password from a file, make sure that the password file is a text file and contains only the password in one line. If the file contains special symbols such as line feeds or tab characters, the file does not meet the password format requirements.

When I access a KMS instance, an HTTP 413 status code is reported. What do I do?

Make sure that the body of a request does not exceed 3 MB in size after all parameters of the request are encoded by using Protocol Buffers. If the request body exceeds the limit, the server rejects the request and returns an HTTP 413 status code.

  • Encryption and decryption: We recommend that you limit the data size to 6 KB for encryption and decryption by using symmetric keys and 1 KB for encryption and decryption by using asymmetric keys in a single operation. If the limits are exceeded, we recommend that you use envelope encryption.

  • Signing and verification: If the size of a message to sign is large, we recommend that you locally generate a digest of the message and then call the Sign or Verify operation for signing or verification.

What do I do if the "UnknownHostException" error is reported when I access a KMS instance?

Problem description

When I access a KMS instance by using KMS Instance SDK for Java, the Caused by: java.net.UnknownHostException: kst-hzz664da459rvtjtd****.cryptoservice.kms.aliyuncs.com error is reported.

Solution

  1. Check whether the environment of your application is connected to the VPC of the KMS instance.

    If the VPC of the application and the KMS instance are in the same region, associate the VPC with the KMS instance. For more information, see Access a KMS instance from multiple VPCs in the same region. For other scenarios, see the following section:

    • Connect different VPCs

      You can enable private communication between VPCs by using CEN, VPN gateways, VPC peering connections, or PrivateLink. For more information about the preceding solutions, see Overview of VPC connections.

    • Connect a VPC to the Internet

      You can enable ECS instances in a VPC to communicate with the Internet by assigning public IP addresses to the ECS instances, associating EIPs with the ECS instances, using a NAT gateway, or using Server Load Balancer (SLB). For more information, see Internet access overview.

    • Connect a VPC to a data center

      You can connect a data center to a VPC through a VPN gateway, an Express Connect circuit, or Smart Access Gateway (SAG). For more information, see Connect a data center to a VPC.

  2. Check whether the settings of the domain name resolution for the KMS instance are correctly configured. For more information about how to configure DNS settings, see What is Private DNS?

Can I use the secret management feature of KMS in an Android system?

No, you cannot use the secret management feature in an Android system.

What do I do if the endpoint of KMS cannot be accessed?

This is because HTTPS is disabled when you use an SDK to access KMS.

To ensure data security, KMS supports only HTTPS for endpoints. We recommend that you run the following code to enable HTTPS when you use an SDK to access KMS:

req.setProtocol(ProtocolType.HTTPS);

What do I do if the local IDC cannot access the KMS instance through domain name?

Problem description

When your local IDC has connected with Alibaba Cloud VPC, the local IDC cannot access the KMS instance using the domain kms.aliyuncs.com configured in PrivateZone without any additional configuration.

Solution

  1. On the dedicated router, allow traffic for the IP ranges 100.100.2.136 to 100.100.2.138 to ensure the local IDC can ping these IP addresses.

    For configuration issues, contact your network technical support or refer to relevant documentation:

Important

If your IDC is not connected to Alibaba Cloud's enterprise network or the Express Connect network, contact your IDC provider for router configurations.

  1. Modify the local DNS configuration file named.conf to forward queries for the KMS domain (kms.aliyuncs.com) to Cloud DNS.

    You can refer to the following configuration:

zone "kms.aliyuncs.com" { 
        type forward; 
        forwarders { 100.100.2.136;100.100.2.138;}; 
};
Note

Different DNS software has slight variations in configuring routing and forwarding. You can follow the user manual of the software to complete the configurations.

What do I do if I encounter a 'QPS Limit Exceeded' error while synchronizing KMS secrets using ack-secret-manager?"

Problem description

When synchronizing a large number of KMS secrets, the throttling policy of KMS can be triggered, resulting in synchronization failures.

Solution

The issue has been fixed in version 0.5.2 of ack-secret-manager. We recommend that you use the latest version.