问题描述
我在 IBM Cloud 上使用 Key Protect。我想使用 Terraform 将现有的根密钥导入我的 Key Protect 实例。我正在关注 ibm_kms_key 的文档:
data "ibm_resource_instance" "kms_instance" {
name = "henrikKeyProtectUS"
service = "kms"
location = "us-south"
}
resource "ibm_kms_key" "key" {
instance_id = data.ibm_resource_instance.kms_instance.guid
key_name = "mytestkey"
standard_key = false
payload = "rtmETw5IrxFIkRjl7ZYIxMs5Dk/wWQLJ+eQU+HSrWUo="
}
应用更改时,Terraform 返回错误:
ibm_kms_key.key: Creating...
╷
│ Error: Error while creating Root key with payload: kp.Error: correlation_id='618f8712-b357-xxx-af12-155ad18fbc26',msg='Unauthorized: The user does not have access to the specified resource'
│
│ with ibm_kms_key.key,│ on main.tf line 7,in resource "ibm_kms_key" "key":
│ 7: resource "ibm_kms_key" "key" {
为什么?我是帐户所有者和 Key Protect 实例管理员。我应该拥有所有特权。
解决方法
该错误实际上在 ibm_kms_key 的介绍中有所描述,但很容易被重读。当前为提供者设置的区域必须与 KMS 实例的区域匹配。
在将我的提供商从“eu-de”切换到“us-south”之后,我也能够导入密钥。
provider "ibm" {
ibmcloud_api_key = var.ibmcloud_api_key
region = "us-south"
ibmcloud_timeout = var.ibmcloud_timeout
}