400 | KMS access denied. Check that the IAM/RBAC grant gives KnoxCall both Encrypt and Decrypt on this key. | The probe encrypt/decrypt round-trip was denied by your KMS IAM/RBAC policy |
400 | Field "<name>" is not permitted in tenant KMS config. ... | config contained a blocked static-credential field (access key, secret key, client secret, private key, service-account key, etc.) — use STS/WIF/SA-impersonation instead |
400 | KMS probe roundtrip mismatch — refusing to onboard a key we cannot reliably decrypt with. | The wrap+unwrap probe did not return the original plaintext |
400 | KMS probe failed. | The probe failed for another reason (see details) |
401 | authentication required | No authenticated session |
400 | X-Tenant-ID header required | X-Tenant-ID header missing |
403 | <reason> | Caller is not an owner/admin of the tenant |
500 | Failed to persist BYOK configuration. | The configuration probe passed but persisting it failed (see details) |
502 | KMS provider unreachable during probe. Try again in a minute. | KnoxCall could not reach the KMS provider during the probe |