Common Errors Related to IAM Authentication Information

You may encounter the following errors related to IAM authentication information:

• Incorrect IAM authentication information: verify aksk signature fail
• Incorrect IAM authentication information: AK access failed to reach the limit,forbidden
• Incorrect IAM authentication information: decrypt token fail
• Incorrect IAM authentication information: Get secretKey failed

{    
  "error_msg": "Incorrect IAM authentication information: verify aksk signature fail, ......   
  "error_code": "APIG.0301", 
  "request_id": "******" 
}

Possible Cause

The signature algorithm is incorrect, and the signature calculated by the client is different from that calculated by APIG.

Solution

1. Download the JavaScript SDK, view the visualized signing SDK, and obtain the signature.
2. Decompress the package and open the demo.html file using a browser.
3. Obtain the value of x-sdk-date, and check whether the difference between this value and the current time is within 15 minutes.
   1. Press F12 on the keyboard, and choose Sources > Snippets > New snippet.
   2. Copy the following code to the script snippet on the right, right-click the snippet name on the left, and select Run from the shortcut menu. The value displayed on the Console tab is the value of x-sdk-date.
   

   function twoChar(s) {
       if (s >= 10) {
           return "" + s
       } else {
           return "0" + s
       }
   }
   
   function getTime() {
       var date = new Date();
       return "" + date.getUTCFullYear() + twoChar(date.getUTCMonth() + 1) + twoChar(date.getUTCDate()) + "T" +
           twoChar(date.getUTCHours()) + twoChar(date.getUTCMinutes()) + twoChar(date.getUTCSeconds()) + "Z"
   }
   getTime()

4. Add x-sdk-date to Headers, set other parameters, and click Debug to obtain the signature.

   

   For all requests except get, delete, and head, add a body in the Body area by using the same format as a real request body.

5. Copy the curl command in the figure of 4, run it in a command line interface, and then go to the next step.

   curl -X GET "http://192.168.0.1:10000/get" -H "X-Sdk-Date: 20221208T015751Z" -H "host: 192.168.0.1:10000" -H "Authorization: SDK-HMAC-SHA256 Access=6cc7e0042e1645c4bc954368d3b495a8, SignedHeaders=host;x-sdk-date, Signature=488409e25642fd03753a16238f89e35b466e93b3470160a9e894f53e79f2108a" -d $''

   If a custom authorizer is used, replace Authorization in the curl command with the authorizer name.

6. Compare the signature in the local code with the visualized signature of JavaScript.

   For example, check whether the values of canonicalRequest, stringToSign, and authorizationHeader in the Java signing code are the same as those in the visualized signature of JavaScript.

   

{    
  "error_msg": "Incorrect IAM authentication information: AK access failed to reach the limit,forbidden." ......   
  "error_code": "APIG.0301", 
  "request_id": "******" 
}

Possible Causes

• The AK/SK signature calculation is incorrect. Resolve the problem by referring to Incorrect IAM authentication information: verify aksk signature fail.
• The AK and SK do not match.
• AK/SK authentication fails for more than five consecutive times, and the AK/SK pair is locked for five minutes. (Authentication requests are rejected within this period).
• An expired token is used for token authentication.

{
  "error_msg": "Incorrect IAM authentication information: decrypt token fail",
  "error_code": "APIG.0301",
  "request_id": "******"
}

{
"error_msg": "Incorrect IAM authentication information: Get secretKey failed,ak:******,err:ak not exist",
"error_code": "APIG.0301",
"request_id": "******"
}