Creating a File System With an Assigned Key Fails

How to resolve problems creating a file system with an assigned Oracle Cloud Infrastructure Vault key.

Symptom: Creating a file system with an assigned Oracle Cloud Infrastructure Vault key fails with the following exception:
com.oracle.bmc.model.BmcException: (401, NotAuthenticated, false) The required information to complete authentication was not provided or was incorrect.

Cause: The File Storage service requires authorization to use keys on your behalf. Also, you must also authorize users to delegate key usage to the service in the first place. Authorization is provided to the service and users using specific IAM policies.

Solution:

  1. Create a policy in the tenancy to let a user group delegate key usage in a compartment. For example:
    Allow group FileWriters to use key-delegate in compartment ABC where target.key.id = '<key_OCID>' 
  2. Assign the user who is creating the file system to the group.
  3. Create a policy in the tenancy to let the File Storage service use the key. For example:
    Allow service Fss<realm_key>Prod to use keys in compartment ABC where target.key.id = '<key_OCID>' 

    The name of the File Storage service user depends on your realm . The pattern for the File Storage service user is FssOc<n>Prod, where n is the realm number. See About Regions and Availability Domains for more information about realms.

For more information, see Assigning Keys.