Help Center/ API Request Signing Guide/ Developer Guide/ FAQs/ Common Errors Related to IAM Authentication Information
Updated on 2023-01-17 GMT+08:00

Common Errors Related to IAM Authentication Information

You may encounter the following errors related to IAM authentication information:

Incorrect IAM authentication information: verify aksk signature fail

{    
  "error_msg": "Incorrect IAM authentication information: verify aksk signature fail, ......   
  "error_code": "APIGW.0301", 
  "request_id": "******" 
}

Possible Cause

The signature algorithm is incorrect, and the signature calculated by the client is different from that calculated by API Gateway.

Solution

  1. Obtain the canonicalRequest calculated by APIG.

    Obtain request_id from the body of the error message, search for error.log (you can view this file on CLS) of the shubao node based on request_id, and obtain canonicalRequest from error.log.
    2019/01/26 11:34:27 [error] 1211#0: *76 [lua] responses.lua:170: rewrite(): 473a4370fbaf69e42f9da243eb8f8c52;app-1;Incorrect IAM authentication information: verify signature fail;SDK-HMAC-SHA256 Access=071fe245-9cf6-4d75-822d-c29945a1e06a, SignedHeaders=host;x-sdk-date, Signature=b2ef2cddcef89cbfe22974c988909c1a94b1ac54114c30b8fe083d34a259e0f5;canonicalRequest:GET
    /app1/
    
    host:test.com
    x-sdk-date:20190126T033427Z
    
    host;x-sdk-date
    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, client: 192.168.0.1, server: shubao, request: "GET /app1 HTTP/1.1", host: "test.com"

  2. Obtain the canonicalRequest calculated by the client by printing logs or using debug interrupts. The following table describes the functions used to calculate the canonicalRequest in the SDKs of different languages.

    Table 1 Functions for calculating canonicalRequest in the SDKs of common languages

    Language

    Function

    Java

    Sign function in com.cloud.sdk.auth.signer.DefaultSigner.class of libs/java-sdk-core-*.jar

    C

    sig_sign function in signer.c

    C++

    Signer::createSignature function in signer.cpp.

    C#

    Sign function in signer.cs

    Go

    Sign function in signer.go

    JavaScript

    Signer.prototype.Sign function in signer.js

    Python

    Sign function in signer.py

    PHP

    Sign function in signer.php

    Example: cannonicalRequest obtained at a debug interrupt

    POST 
    /app1/  
    
    host:test.com 
    x-sdk-date:20190126T033950Z  
    
    host;x-sdk-date 
    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

  3. Check whether the cannonicalRequest in 1 is the same as that in 2.

    • Yes: Check whether the AK and SK are correct, for example, without spaces.
    • No:
      • Different in line 1: The request method must be the same.
      • Different in line 2: The request path must be the same.
      • Different in line 3: The request parameters must be the same.
      • Different in lines 4 to 5: The request header must be the same in each line.
      • Different in line 7: The number of request header parameters must be the same as the number of request header lines.
      • Different in line 8: The request body must be the same.
    Table 2 canonicalRequest of APIG and a client

    Line No.

    Parameter

    APIG

    Client

    1

    Request method

    GET

    POST

    2

    Request path

    /app1/

    /app1/

    3

    Request parameters

    None

    None

    4

    Request header

    host:test.com

    host:test.com

    5

    Request header

    x-sdk-date:20190126T033427Z

    x-sdk-date:20190126T033950Z

    6

    Blank line

    -

    -

    7

    Request header parameters

    host;x-sdk-date

    host;x-sdk-date

    8

    Request body hash value

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Incorrect IAM authentication information: AK access failed to reach the limit, forbidden

{    
  "error_msg": "Incorrect IAM authentication information: AK access failed to reach the limit,forbidden." ......   
  "error_code": "APIGW.0301", 
  "request_id": "******" 
}

Possible Causes

  • The AK/SK signature calculation is incorrect. Resolve the problem by referring to Incorrect IAM authentication information: verify aksk signature fail.
  • The AK and SK do not match.
  • AK/SK authentication fails for more than five consecutive times, and the AK/SK pair is locked for five minutes. (Authentication requests are rejected within this period).
  • An expired token is used for token authentication.

Incorrect IAM authentication information: decrypt token fail

{
  "error_msg": "Incorrect IAM authentication information: decrypt token fail",
  "error_code": "APIGW.0301",
  "request_id": "******"
}

Possible Cause

The token cannot be parsed for IAM authentication of the API.

Solution

  • Check whether the token is correct.
  • Check whether the token has been obtained in the environment where the API is called.

Incorrect IAM authentication information: Get secretKey failed

{
"error_msg": "Incorrect IAM authentication information: Get secretKey failed,ak:******,err:ak not exist",
"error_code": "APIGW.0301",
"request_id": "******"
}

Possible Cause

The AK used for IAM authentication of the API does not exist.

Solution

Check whether the AK is correct.