Why does the Network status show an NHC009 error?

Virtual Private Cloud

When you check the status of your cluster's network components by running the ibmcloud ocks cluster health issues --cluster <CLUSTER_ID>, you see an error similar to the following example.

ID       Component   Severity   Description
NHC009   Network     Error      The IAM token exchange request failed.

VPC operations rely on IAM API keys for authentication. If the used API key is invalid, expired, or disabled, that can lead to this error.

Review and update your IAM API key.

1. Find out which API key is used. Check the resource group of your cluster.

   ibmcloud ks cluster get --cluster <Cluster_ID>
   

2. Use the resource group ID to find the associated API key.

   ibmcloud iam api-key --uuid containers-kubernetes-key
   

3. Verify whether the key is disabled.

   ibmcloud iam api-key --activity <ApiKey_ID>
   

4. If necessary, reset your Kubernetes.

   ibmcloud ks api-key reset
   

5. Or, if the API key disabled, enable it.

   ibmcloud iam api-key-enable <ApiKey_ID>
   

6. For detailed steps, see Setting the cluster credentials and Managing IAM access, API keys, trusted profiles, service IDs, and access groups.

7. Wait 30 minutes, then check if the warning is resolved.

8. If the issue persists, contact support for further assistance. Open a support case. In the case details, be sure to include any relevant log files, error messages, or command outputs.