I am using Key Protect on IBM Cloud. I want to import an existing root key into my Key Protect instance using Terraform. I am following the documentation for ibm_kms_key:
data "ibm_resource_instance" "kms_instance" {
name = "henrikKeyProtectUS"
service = "kms"
location = "us-south"
}
resource "ibm_kms_key" "key" {
instance_id = data.ibm_resource_instance.kms_instance.guid
key_name = "mytestkey"
standard_key = false
payload = "rtmETw5IrxFIkRjl7ZYIxMs5Dk/wWQLJ+eQU+HSrWUo="
}
While applying the changes, Terraform returns with an error:
ibm_kms_key.key: Creating...
╷
│ Error: Error while creating Root key with payload: kp.Error: correlation_id='618f8712-b357-xxx-af12-155ad18fbc26', msg='Unauthorized: The user does not have access to the specified resource'
│
│ with ibm_kms_key.key,
│ on main.tf line 7, in resource "ibm_kms_key" "key":
│ 7: resource "ibm_kms_key" "key" {
Why? I am the account owner and Key Protect instance administrator. I should have all the privileges.
The error is actually described in the introduction to ibm_kms_key, but easily overread. The set region for the provider currently has to match the region of the KMS instance.
After switching my provider from "eu-de" to "us-south", too, I was able to import the key.
provider "ibm" {
ibmcloud_api_key = var.ibmcloud_api_key
region = "us-south"
ibmcloud_timeout = var.ibmcloud_timeout
}