Why does encryption fail with an invalid KMS endpoint?
Virtual Private Cloud Classic infrastructure
When you provision Portworx and set up encryption, you receive an error similar to the following:
`kp.Error: correlation_id='673bb68a-be17-4720-9ae1-85baf109924e', msg='Unauthorized: The user does not have access to the specified resource'"`
The endpoint that you entered in your Kubernetes secret is incorrect. If the KMS endpoint is entered incorrectly, Portworx can't access the KMS provider that you configured.
For more information about enabling encryption on your Portworx volumes, see Setting up encryption.
Edit your Kubernetes secret to include the correct endpoint for your KMS provider.
-
Retrieve the correct endpoint for your KMS provider.
- IBM Key Protect: Retrieve the region where you created your service instance. Make sure that you note your API endpoint in the correct format. Example:
https://us-south.kms.cloud.ibm.com. - Hyper Protect Crypto Services: Retrieve the Key Management public endpoint URL. Make sure that you note your endpoint in the correct format. Example:
https://api.us-south.hs-crypto.cloud.ibm.com:<port>. For more information, see the Hyper Protect Crypto Services API documentation.
- IBM Key Protect: Retrieve the region where you created your service instance. Make sure that you note your API endpoint in the correct format. Example:
-
Encode the endpoint to base64.
echo -n "<endpoint>" | base64 -
Edit the Kubernetes secret that you created to include the correct endpoint for your KMS provider.
oc edit <secret-name> -n portworx -
Save and close your Kubernetes secret to reapply it to your cluster.
If you find information that you entered incorrectly or you must change the setup of your cluster, correct the information or the cluster setup.