Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error creating accounts when cloud kms returns PENDING_GENERATION #267

Open
seitau opened this issue Feb 1, 2022 · 6 comments
Open

Error creating accounts when cloud kms returns PENDING_GENERATION #267

seitau opened this issue Feb 1, 2022 · 6 comments
Assignees
@nanuuki
Labels
bug Something isn't working

Comments

@seitau
Copy link
Contributor

seitau commented Feb 1, 2022
edited
Loading

I was trying to create many accounts asynchronously and after it reaches certain load I saw following errors from job.

cloudkms: failed to fetch public key from KMS API: rpc error: code = FailedPrecondition desc = projects/.../locations/global/keyRings/.../cryptoKeys/flow-wallet-account-key-dde4689c-9ce1-4e96-b4ab-f5e227b1d622/cryptoKeyVersions/1 is not enabled, current state is: PENDING_GENERATION.error details: name = PreconditionFailure type = KEY_PENDING_GENERATION subj = projects/.../locations/global/keyRings/.../cryptoKeys/flow-wallet-account-key-dde4689c-9ce1-4e96-b4ab-f5e227b1d622/cryptoKeyVersions/1 desc =

This seems due to the latency of cloud kms generating many asymmetric keys. The current key creation logic does not handle this error. So retrying error job try to generate new key in kms which results in increasing load to kms.
@nanuuki nanuuki added the bug Something isn't working label Feb 1, 2022
@nanuuki nanuuki self-assigned this Feb 1, 2022
@nanuuki
Copy link
Contributor

nanuuki commented Feb 1, 2022

Thanks for reporting this @seita-uc! Have you observed this with AWS KMS too, or just Google KMS?

@seitau
Copy link
Contributor Author

seitau commented Feb 1, 2022

@nanuuki I only use cloud kms so I'm not sure with aws kms.

@seitau
Copy link
Contributor Author

seitau commented Feb 2, 2022

According to the document,

Due to the CPU cost of generating key material, creation of an asymmetric signing or asymmetric encryption key version may take a few minutes.
https://cloud.google.com/kms/docs/faq#pending_generation

@nanuuki
Copy link
Contributor

nanuuki commented Feb 2, 2022

@seita-uc I managed to reproduce this, I'll let you know once a fix has been applied :)

@seitau
Copy link
Contributor Author

seitau commented Feb 2, 2022
edited
Loading

@nanuuki FYI I have been measuring the response time of key creation and time to wait for the key to be enabled. I figured out that keeping the request rate to 1rps solves the problem. If the CreateCryptoKey request rate to cloud kms keeps more than 1 rps, eventually cloud kms client returns timeout (default 60s) and wait time for key enabling gets longer.

@seitau
Copy link
Contributor Author

seitau commented Feb 12, 2022

Update: I managed to get better response time when I turn cloud kms keyring's region to asia from global. It does not solve the root cause of the problem but setting closer kms region rather than setting global will help avoid the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nanuuki nanuuki

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nanuuki @seitau