Help Center> API Request Signing Guide> Developer Guide> FAQs> Common Errors Related to IAM Authentication Information

Updated on 2023-01-17 GMT+08:00

View PDF

Common Errors Related to IAM Authentication Information

You may encounter the following errors related to IAM authentication information:

Incorrect IAM authentication information: verify aksk signature fail
Incorrect IAM authentication information: AK access failed to reach the limit, forbidden
Incorrect IAM authentication information: decrypt token fail
Incorrect IAM authentication information: Get secretKey failed

Incorrect IAM authentication information: verify aksk signature fail

{    
  "error_msg": "Incorrect IAM authentication information: verify aksk signature fail, ......   
  "error_code": "APIGW.0301", 
  "request_id": "******" 
}

Possible Cause

The signature algorithm is incorrect, and the signature calculated by the client is different from that calculated by API Gateway.

Solution

Obtain the canonicalRequest calculated by APIG.

Obtain request_id from the body of the error message, search for error.log (you can view this file on CLS) of the shubao node based on request_id, and obtain canonicalRequest from error.log.

2019/01/26 11:34:27 [error] 1211#0: *76 [lua] responses.lua:170: rewrite(): 473a4370fbaf69e42f9da243eb8f8c52;app-1;Incorrect IAM authentication information: verify signature fail;SDK-HMAC-SHA256 Access=071fe245-9cf6-4d75-822d-c29945a1e06a, SignedHeaders=host;x-sdk-date, Signature=b2ef2cddcef89cbfe22974c988909c1a94b1ac54114c30b8fe083d34a259e0f5;canonicalRequest:GET
/app1/

host:test.com
x-sdk-date:20190126T033427Z

host;x-sdk-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, client: 192.168.0.1, server: shubao, request: "GET /app1 HTTP/1.1", host: "test.com"

Obtain the canonicalRequest calculated by the client by printing logs or using debug interrupts. The following table describes the functions used to calculate the canonicalRequest in the SDKs of different languages.

**Table 1** Functions for calculating canonicalRequest in the SDKs of common languages
Language	Function
Java	Sign function in com.cloud.sdk.auth.signer.DefaultSigner.class of *libs/java-sdk-core-.jar**
C	sig_sign function in signer.c
C++	Signer::createSignature function in signer.cpp.
C#	Sign function in signer.cs
Go	Sign function in signer.go
JavaScript	Signer.prototype.Sign function in signer.js
Python	Sign function in signer.py
PHP	Sign function in signer.php

Example: cannonicalRequest obtained at a debug interrupt

POST 
/app1/  

host:test.com 
x-sdk-date:20190126T033950Z  

host;x-sdk-date 
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Check whether the cannonicalRequest in 1 is the same as that in 2.

Yes: Check whether the AK and SK are correct, for example, without spaces.
No:
- Different in line 1: The request method must be the same.
- Different in line 2: The request path must be the same.
- Different in line 3: The request parameters must be the same.
- Different in lines 4 to 5: The request header must be the same in each line.
- Different in line 7: The number of request header parameters must be the same as the number of request header lines.
- Different in line 8: The request body must be the same.

**Table 2** canonicalRequest of APIG and a client
Line No.	Parameter	APIG	Client
1	Request method	GET	POST
2	Request path	/app1/	/app1/
3	Request parameters	None	None
4	Request header	host:test.com	host:test.com
5	Request header	x-sdk-date:20190126T033427Z	x-sdk-date:20190126T033950Z
6	Blank line	-	-
7	Request header parameters	host;x-sdk-date	host;x-sdk-date
8	Request body hash value	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Incorrect IAM authentication information: AK access failed to reach the limit, forbidden

{    
  "error_msg": "Incorrect IAM authentication information: AK access failed to reach the limit,forbidden." ......   
  "error_code": "APIGW.0301", 
  "request_id": "******" 
}

Possible Causes

The AK/SK signature calculation is incorrect. Resolve the problem by referring to Incorrect IAM authentication information: verify aksk signature fail.
The AK and SK do not match.
AK/SK authentication fails for more than five consecutive times, and the AK/SK pair is locked for five minutes. (Authentication requests are rejected within this period).
An expired token is used for token authentication.

Incorrect IAM authentication information: decrypt token fail

{
  "error_msg": "Incorrect IAM authentication information: decrypt token fail",
  "error_code": "APIGW.0301",
  "request_id": "******"
}

Possible Cause

The token cannot be parsed for IAM authentication of the API.

Solution

Check whether the token is correct.
Check whether the token has been obtained in the environment where the API is called.

Incorrect IAM authentication information: Get secretKey failed

{
"error_msg": "Incorrect IAM authentication information: Get secretKey failed,ak:******,err:ak not exist",
"error_code": "APIGW.0301",
"request_id": "******"
}

Possible Cause

The AK used for IAM authentication of the API does not exist.

Solution

Check whether the AK is correct.

Parent topic: FAQs

Previous topic: How Do I Use a Temporary AK/SK to Sign Requests?

Next topic: What Should I Do If "The API does not exist or has not been published in the environment." Is Displayed?

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel