Troubleshoot EKM via VPC errors

This page shows you how to resolve issues with Cloud External Key Manager (Cloud EKM) overvirtual private cloud (VPC).

In addition to the errors listed in theCloud EKM error reference, EKMs accessed overVPC might experience additional errors.

Input errors

The following table describes errors caused by incorrect input andsuggests troubleshooting steps for these errors:

google.rpc.Status.messageviolation[1].type(Error domain)Troubleshooting
Permission denied when accessing the Service Directory. Ensure the Cloud EKM service account has access to the Service Directory resource in the VPC project.SD_RESOURCE_PERMISSION_DENIEDFollow the steps inAuthorize Cloud EKM to access your VPC to authorize Cloud EKM to access your VPC resource. Also, refer to theService Directory troubleshooting guide.

External key management system errors

The following table describes EKM system errors and troubleshooting suggestions:

google.rpc.Status.messageviolation[1].type(Error domain)Troubleshooting
Unable to use the Service Directory entry provided for the external key manager. The data was incomplete or was not found in the Service Directory service.SD_RESOURCE_MALFORMED

If you manage your own EKM:

  • Ensure thenetwork field of your Service Directory endpoint is populated and that it matches the VPC network that you use to reach your EKM.
  • Ensure theIP address andPort are set correctly for your endpoint.

    • If your EKM is managed by a separate provider:

  • Contact your EKM provider to ensure thenetwork Service Directory endpoints are correctly set.

    • Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

    Last updated 2026-02-19 UTC.