Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ FAQs/ Permissions Management/ How Do I Handle Access Denied by Identity Policies?
Updated on 2025-11-06 GMT+08:00
View PDF
Share

How Do I Handle Access Denied by Identity Policies?

IAM displays error messages for access denied by identity policies attached to users. They can identify the cause of the denied access errors and resolve them based on the error messages.

Implicit Deny and Explicit Deny

Access denied errors appear when IAM explicitly or implicitly denies an authorization request.

An implicit deny means that the access is not explicitly authorized by an administrator. The error message may contain the following information: 
User: ${principal} is not authorized to perform: ${action} on resource: ${resource} because no ${policy_type} policy allows the ${action} action.
An explicit deny means that the access is explicitly restricted by an administrator. The error message may contain the following information: 
User: ${principal} is not authorized to perform: ${action} on resource: ${resource} with an explicit deny in the ${policy_type} policy.

${principal}

Principal

${action}

Action of the request

${resource}

Resources to be accessed

${policy_type}

Policy type

Example Error Information

  • Implicit Deny in a Policy or Identity Policy

    No policy or identity policy that explicitly allows the access is attached to the principal.

    Check whether the policy or identity policy attached to the principal contains an Allow statement for the specific action. You can contact the IAM administrator to add the Allow statement. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} because no identity-based policy allows the ${action} action.
  • Explicit Deny in a Policy or Identity Policy

    A policy or identity policy that explicitly denies the access is attached to the principal.

    Check whether the policy or identity policy attached to the principal contains a Deny statement for the specific action. You can contact the IAM administrator to delete the Deny statement. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} with an explicit deny in an identity-based policy.
  • Implicit Deny in a Resource Policy

    No resource policy explicitly allows the access to the resource.

    Check whether the resource policy contains an Allow statement for the specific action. You can contact the administrator to obtain the permissions. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} because no resource-based policy allows the ${action} action.
  • Explicit Deny in a Resource Policy

    A resource policy explicitly denies the access to the resource.

    Check whether the resource policy contains a Deny statement for the specific action. You can contact the administrator to delete the restriction. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} with an explicit deny in a resource-based policy.
  • Implicit Deny in a Trust Policy

    No trust policy in the trust agency explicitly allows the access.

    Check whether a trust policy in the trust agency contains the Allow statement for the specific operation. You can contact an administrator to add the Allow statement to the trust policy. Alternatively, check the principal who assumes the agency. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} because no agency trust policy allows the ${action} action.
  • Explicit Deny in a Trust Policy

    A trust policy in the trust agency explicitly denies the access.

    Check whether a trust policy in the trust agency contains a Deny statement for the specific action. You can contact the administrator to delete the restriction. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} with an explicit deny in the agency trust policy.
  • Implicit Deny in a Session Policy

    No session policy in the agency session explicitly allows the access.

    Check whether a session policy in the agency session contains an Allow statement for the specific action. You can contact the administrator to obtain the permissions. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} because no session policy allows the ${action} action.
  • Explicit Deny in a Session Policy

    A session policy in the agency session explicitly denies the access.

    Check whether a session policy in the agency session contains a Deny statement for the specific action. You can contact the administrator to delete the restriction. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} with an explicit deny in a session policy.
  • Implicit Deny in an SCP

    No service control policy (SCP) that explicitly allows the access is attached to the tenant, organization root, or organization unit where the principal belongs.

    Check whether the SCP attached to the tenant, organization root, or organization unit where the principal belongs lacks the Allow statement for the specific action. You can contact an organization administrator to obtain the required permissions. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} because no service control policy allows the ${action} action.
  • Explicit Deny in an SCP

    An SCP that explicitly denies the access is attached to the tenant, organization root, or organization unit where the principal belongs.

    Check whether the SCP attached to the tenant, organization root, or organization unit where the principal belongs contains the Deny statement for the specific action. You can contact an organization administrator to delete the restriction. 
    User: ${principal} is not authorized to perform: ${action} on resource: ${resource} with an explicit deny in a service control policy.
Parent topic: Permissions Management