Error when adding accounts to password auth method within scope

slucey · June 12, 2022, 7:15pm

Hi all,

I’m trying to add users to my Boundary setup - this is running in Production mode - using an RDS Postgres database with AWS KMS keys. To try resolve this issue, I’ve allowed kms:* access to the Key IDs.

When I try add a user I receive the following error:
accounts.(Service).createInRepo: accounts.(Service).createPwInRepo: password.(Repository).CreateAccount: unable to get database wrapper: encryption issue: error #300: kms.GetWrapper: error loading root key for scope o_eDUvrogoF3: kms.loadRoot: error looking up root key versions for scope o_eDUvrogoF3: kms.(Repository).ListRootKeyVersions: error decrypting key num 0: kms.(RootKeyVersion).Decrypt: error occurred during decrypt, encryption issue: error #301: error unwrapping value: rpc error: code = Unavailable desc = connection error: desc = "transport: error while dialing: dial unix /tmp/plugin699694758: connect: connection refused"

Grateful for any help on this.

jimlambrt · June 12, 2022, 8:50pm

I believe your kms endpoint is refusing the connection for some reason.

I was able to reproduce the same error by just configuring my root kms endpoint to deny the request.

Also, I was able to validate that AWS KMS does work when just using the default API endpoint for my AWS region.

slucey · June 13, 2022, 9:52am

Thanks Jim,

I ended up restart the boundary server and for some random reason, it actually resolved the issue.

Thanks for the help in sorting this.