Why can't I delete an initialized service instance?
You get an error when you delete an initialized service instance.
You might receive an error similar to the following one:
FAILED Error Code: RC-ServiceBrokerErrorResponse Message: Service Broker returned error status code 409
The following reasons might cause the errors:
- You haven't deleted root keys with the standard plan or managed keys with the Unified Key Orchestrator plan.
- You haven't cleared (zeroized) the initialized service instance before you delete the instance.
The following instructions can help you solve the problems:
-
If you haven't deleted root keys with the standard plan or managed keys with the Unified Key Orchestrator plan, run the following commands:
If you have zeroized the initialized service instance before deleting keys, you can only use the IBM Cloud command-line interface (CLI) or API to delete keys.
- For root keys:
ibmcloud kp key delete KEY_ID_OR_ALIAS -i, --instance-id INSTANCE_ID [--key-ring KEY_RING_ID] [-f, --force] [-o, --output OUTPUT]- For managed keys:
ibmcloud hpcs uko managed-key-delete --id ID --uko-vault UKO-VAULT --if-match IF-MATCH -
If you haven't cleared (zeroized) the initialized service instance, the procedure varies depending on the method that you use to initialize the service instance.
- If you've initialized your service instance through IBM Cloud Trusted Key Entry (TKE) CLI plug-in, run the following command before you delete the instance:
ibmcloud tke cryptounit-zeroize- If you've initialized your service instance through the TKE application, in the user interface of the application, select Imprint mode > Zeroize crypto unit.
After you zeroize the crypto unit, the administrator signature keys and the master key are cleared from the crypto unit, which means you are not able to access any root keys or standard keys that are protected by the master key. Any resources that are associated with the root keys, such as the Immutable Object Storage, cannot be accessed.