Troubleshoot EKM via VPC errors

This page shows you how to resolve issues with Cloud External Key Manager (Cloud EKM) over virtual private cloud (VPC).

In addition to the errors listed in the Cloud EKM error reference, EKMs accessed over VPC might experience additional errors.

Input errors

The following table describes errors caused by incorrect input and suggests troubleshooting steps for these errors:

google.rpc.Status.message violation[1].type(Error domain) Troubleshooting
Permission denied when accessing the Service Directory. Ensure the Cloud EKM service account has access to the Service Directory resource in the VPC project. SD_RESOURCE_PERMISSION_DENIED Follow the steps in Authorize Cloud EKM to access your VPC to authorize Cloud EKM to access your VPC resource. Also, refer to the Service Directory troubleshooting guide.

External key management system errors

The following table describes EKM system errors and troubleshooting suggestions:

google.rpc.Status.message violation[1].type(Error domain) Troubleshooting
Unable to use the Service Directory entry provided for the external key manager. The data was incomplete or was not found in the Service Directory service. SD_RESOURCE_MALFORMED

If you manage your own EKM:

  • Ensure the network field of your Service Directory endpoint is populated and that it matches the VPC network that you use to reach your EKM.
  • Ensure the IP address and Port are set correctly for your endpoint.

    • If your EKM is managed by a separate provider:

  • Contact your EKM provider to ensure the network Service Directory endpoints are correctly set.

    		•