I ran across this problem today, which was caused by something that’s easy to forget so I thought I would share the issue and resolution. I was in central admin and trying to create a new Encryption Key for the Secure Store Service. When I tried to generate a new key it failed, and the ULS logs contained an error message like this: User [0#.w|contoso\fred] tried [ChangeMasterSecretKey] operation, user does not have admin privileges to perform the operation. I found this puzzling, so after a few tries I tried logging into as the farm administrator and creating the key. Voila – it worked! This however was not the end of the problems. I then logged back in as myself, went to manage the Secure Store Service page and got a message that said my access was denied to the Secure Store Service. I’m a farm admin, so what’s the deal?
Well…as it turns out for Secure Store Service you have to also go into Manage Service Applications, select the Secure Store Service, and then click the Administrators button in the ribbon. Even though I’m a farm admin, I still have to specifically add my account as an Administrator for the Secure Store Service. Reminded me of all the times and places we had to do this in SharePoint 2010, so this little event was a good reminder in SharePoint 2013 to check for these little gotchas again. With my account added I can now generate or refresh a key, as well as generally just use the SSS.