Help Center> API Request Signing Guide> Developer Guide> FAQs> Common Errors Related to IAM Authentication Information
View PDF

Common Errors Related to IAM Authentication Information

You may encounter the following errors related to IAM authentication information:

Incorrect IAM authentication information: verify aksk signature fail

{    
  "error_msg": "Incorrect IAM authentication information: verify aksk signature fail, ......   
  "error_code": "APIGW.0301", 
  "request_id": "******" 
}

Possible Cause

The signature algorithm is incorrect, and the signature calculated by the client is different from that calculated by API Gateway.

Solution

  1. Obtain the canonicalRequest calculated by API Gateway.

    Obtain the canonicalRequest calculated by API Gateway from the following error information: 
    {   
  "error_msg": "Incorrect IAM authentication information: verify aksk signature fail,canonicalRequest:PUT|/v2/******/instances/******/configs/||authorization:SDK-HMAC-SHA256 Access=******, SignedHeaders=authorization;content-length;content-type;host;x-project-id;x-sdk-date, Signature=******|content-length:84|content-type:application/json;charset=UTF-8|host:******|x-project-id:******|x-sdk-date:20201117T072119Z||authorization;content-length;content-type;host;x-project-id;x-sdk-date|******",     
  "error_code": "APIGW.0301",     
  "request_id": "******" 
}

    Replace vertical bars (|) with line breakers to change the error information as follows:

    {   
  "error_msg": "Incorrect IAM authentication information: verify aksk signature fail,canonicalRequest:PUT
/v2/******/instances/******/configs/

  authorization:SDK-HMAC-SHA256 Access=GRFQJFPWGL34UZBRLSDJ, SignedHeaders=authorization;content-length;content-type;host;x-project-id;x-sdk-date, Signature=******
  content-length:84
  content-type:application/json;charset=UTF-8
  host:******
  x-project-id:******
  x-sdk-date:20201117T072119Z

  authorization;content-length;content-type;host;x-project-id;x-sdk-date
******",     
  "error_code": "APIGW.0301",     
  "request_id": "******"
}

  2. Obtain the canonicalRequest calculated by the client by printing logs or using debug interrupts. The following table describes the functions used to calculate the canonicalRequest in the SDKs of different languages.

    Table 1 Functions for calculating canonicalRequest in the SDKs of common languages

    Language

    Function

    Java (earlier than 3.1.0)

    Sign function in com.cloud.sdk.auth.signer.DefaultSigner.class of libs/java-sdk-core-*.jar

    Java (3.1.0 or later)

    Sign function in com.cloud.sdk.auth.signer.Signer.class of libs/java-sdk-core-*.jar

    C++

    Signer::createSignature function in signer.cpp.

    C#

    Sign function in signer.cs

    C

    sig_sign function in signer.c

    Go

    Sign function in signer.go

    JavaScript

    Signer.prototype.Sign function in signer.js

    PHP

    Sign function in signer.php

    Python

    Sign function in signer.py

  3. Check whether the domain name, method, protocol, path, query strings, headers, and body parameters of canonicalRequest obtained in 1 are the same as those obtained in 2.

    • If they are different, the common causes are as follows:
      • Some HTTP clients automatically add charset=utf-8 to the signature header content-type.
      • The user used a proxy to forward requests. The URL, query strings, headers, and body in the request forwarded by the proxy to API Gateway are inconsistent with those signed by the client.
      • Some HTTP clients automatically ignore the body of requests that use the GET or DELETE method.
      • Some earlier version SDKs do not allow special characters in URLs.
      • Some earlier version SDKs do not support query strings that contain a key with multiple values, for example, ?a=1&a=2.
      • Some earlier version SDKs do not allow query strings in URLs.
      • The user-agent header in the actual request is different from the signed user-agent header.
      • Multiple headers with the same name exist.
      • Multiple query strings with the same name exist.
      • The cannonicalRequest contains the authorization header, which conflicts with the signature header.
    • If they are consistent, check whether the AppSecret or SK is correct.

      Common cause: The AppSecret or SK contains unnecessary spaces.

Incorrect IAM authentication information: AK access failed to reach the limit,forbidden

{    
  "error_msg": "Incorrect IAM authentication information: AK access failed to reach the limit,forbidden." ......   
  "error_code": "APIGW.0301", 
  "request_id": "******" 
}

Possible Causes

  • The AK/SK signature calculation is incorrect. Resolve the problem by referring to Incorrect IAM authentication information: verify aksk signature fail.
  • The AK and SK do not match.
  • AK/SK authentication fails for more than five consecutive times, and the AK/SK pair is locked for five minutes. (Authentication requests are rejected within this period).
  • An expired token is used for token authentication.

Incorrect IAM authentication information: decrypt token fail

{
  "error_msg": "Incorrect IAM authentication information: decrypt token fail",
  "error_code": "APIGW.0301",
  "request_id": "******"
}

Possible Cause

The token cannot be parsed for IAM authentication of the API.

Solution

  • Check whether the token is correct.
  • Check whether the token has been obtained in the environment where the API is called.

Incorrect IAM authentication information: Get secretKey failed

{
"error_msg": "Incorrect IAM authentication information: Get secretKey failed,ak:******,err:ak not exist",
"error_code": "APIGW.0301",
"request_id": "******"
}

Possible Cause

The AK used for IAM authentication of the API does not exist.

Solution

Check whether the AK is correct.

Parent topic: FAQs