What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
Symptom
An error is reported when KMS is requested or the cloud service encryption function is enabled.
Error information: httpcode=401,code=APIGW.0301,Msg=Incorrect IAM authentication information: current ip:xx.xx.xx.xx refused
Possible Causes
Access control is configured in IAM.
By default, IAM allows access from any IP addresses. If you configure ACL, the IP addresses and network segments out of the specified range cannot access KMS or use the cloud encryption feature.
Solution
- To access KMS through the cloud service console (for example, for OBS encryption purposes), allow access from network segments 10.0.0.0/8, 11.0.0.0/8, and 26.0.0.0/8.
- To call KMS via API, allow access from the source IP addresses.
Allowing Access from Specific IP Addresses
- Log in to the management console.
- Click on the left of the page and choose Management & Governance > Identity and Access Management. The Users page is displayed.
- Choose Security Settings and click the ACL tab. Check whether IP Address Ranges and IPv4 CIDR Blocks are properly configured.
The source IP address you use must be specified on both the Console Access and API Access tabs.
KMS Related FAQs
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key algorithms supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore