Creating a File System With an Assigned Key Fails

Creating a File Storage file system with an assigned Oracle Cloud Infrastructure Vault key fails.

The creation attempt fails with the following exception:

com.oracle.bmc.model.BmcException: (401, NotAuthenticated, false) The required information to complete authentication was not provided or was incorrect.

Cause: The File Storage service requires authorization to use keys on your behalf. Also, you must also authorize users to delegate key usage to the service in the first place. Authorization is provided to the service and users using specific IAM policies.

Solution:

1. Create a policy in the tenancy to let a user group delegate key usage in a compartment. For example:

   Allow group FileWriters to use key-delegate in compartment ABC where target.key.id = '<key_OCID>' 

2. Assign the user who is creating the file system to the group.
3. Create a policy in the tenancy to let the File Storage service use the key. For example:

   Allow service <file_storage_service_user> to use keys in compartment ABC where target.key.id = '<key_OCID>' 

   The name of the File Storage service user depends on your realm . For realms with realm key numbers of 10 or less, the pattern for the File Storage service user is FssOc<n>Prod, where n is the realm key number. Realms with a realm key number greater than 10 have a service user of fssocprod. For more information about realms, see About Regions and Availability Domains.

For more information, see Assigning Master Encryption Keys.