Creating a File System With an Assigned Key Fails

Creating a File Storage file system with an assigned Oracle Cloud Infrastructure Vault key fails.

The creation attempt fails with the following exception:

com.oracle.bmc.model.BmcException: (401, NotAuthenticated, false) The required information to complete authentication was not provided or was incorrect.

Cause: File Storage file systems require authorization to use keys on your behalf. Also, you must also authorize users to delegate key usage to the service in the first place. Authorization is provided to the service and users using specific IAM policies.

Solution:

1. Create a policy in the tenancy to let a user group delegate key usage in a compartment. For example:

   Allow group FileWriters to use key-delegate in compartment ABC where target.key.id = '<key_OCID>' 

2. Assign the user who is creating the file system to the group.

3. Create a dynamic group for file systems with a policy such as the following:

   ALL { resource.type='filesystem', resource.compartment.id = '<file_system_compartment_OCID>' }

   Note
   
   If you have more than one rule in the dynamic group, ensure that you use Match any rules defined below option.

4. Create an IAM policy that gives the dynamic group of file systems read access to Vault secrets:

   allow dynamic-group <dynamic_group_name> to use keys in compartment <key_compartment_name>

For more information, see Encrypting a File System and Assigning Master Encryption Keys.