Operation Fails Because of Authorization or Resource Not Found

Verify that policy statements exist to grant at least the minimum permissions described in the Required IAM Policy section of Managing Certificates, Managing Certificate Authorities, or Managing CA Bundles, as appropriate. You might need policy statements for both groups and dynamic groups, depending on the resources you want to work with.

In particular, when creating CAs or configuring them to perform revocation, confirm that you have a policy to grant CAs the permissions needed to sign X.509 certificates using Vault keys and to store certificate revocation lists (CRLs) in Object Storage buckets. (This type of policy is referred to as a resource principal policy because it authorizes a resource as a principal actor that can act on other resources.) If you have no policy that grants CAs the permissions they need, then an administrator must write the policy. If you have no dynamic group for CAs to begin with, an administrator must first create a dynamic group with a matching rule that includes all CAs, and then write the policy.

Verify that all the resources named in your request exist and have not been deleted.

The Certificates service does not support cross-tenancy requests. Confirm that all the resources named in your request belong to the same tenancy. For example, when creating a CA, the Vault key, Object Storage bucket, and issuer CA must exist in the same tenancy as the CA you are trying to create.