Common Errors Related to IAM Authentication Information
When an API using IAM authentication is called, the following IAM authentication error may be encountered:
- Incorrect IAM authentication information: verify aksk signature fail
- Incorrect IAM authentication information: AK access failed to reach the limit,forbidden
- Incorrect IAM authentication information: decrypt token fail
- Incorrect IAM authentication information: Get secretKey failed
Incorrect IAM authentication information: verify aksk signature fail
{
"error_msg": "Incorrect IAM authentication information: verify aksk signature fail, ......
"error_code": "APIC.0301",
"request_id": "******"
}
Possible Cause
The signature algorithm is incorrect, and the signature calculated by the client is different from that calculated by ROMA Connect.
Solution
- Obtain the canonicalRequest calculated by ROMA Connect.
Obtain the canonicalRequest calculated by API Gateway from the following error information:
{ "error_msg": "Incorrect IAM authentication information: verify aksk signature fail,canonicalRequest:PUT|/v2/******/instances/******/configs/||authorization:SDK-HMAC-SHA256 Access=******, SignedHeaders=authorization;content-length;content-type;host;x-project-id;x-sdk-date, Signature=******|content-length:84|content-type:application/json;charset=UTF-8|host:******|x-project-id:******|x-sdk-date:20201117T072119Z||authorization;content-length;content-type;host;x-project-id;x-sdk-date|******", "error_code": "APIC.0301", "request_id": "******" }Replace vertical bars (|) with line breakers to change the error information as follows:
{ "error_msg": "Incorrect IAM authentication information: verify aksk signature fail,canonicalRequest:PUT /v2/******/instances/******/configs/ authorization:SDK-HMAC-SHA256 Access=GRFQJFPWGL34UZBRLSDJ, SignedHeaders=authorization;content-length;content-type;host;x-project-id;x-sdk-date, Signature=****** content-length:84 content-type:application/json;charset=UTF-8 host:****** x-project-id:****** x-sdk-date:20201117T072119Z authorization;content-length;content-type;host;x-project-id;x-sdk-date ******", "error_code": "APIC.0301", "request_id": "******" } - Obtain the canonicalRequest calculated by the client by printing logs or using debug interrupts. The following table describes the functions used to calculate the canonicalRequest in the SDKs of different languages.
Table 1 Functions for calculating canonicalRequest in the SDKs of common languages Language
Location
Java (earlier than 3.1.0)
Sign function in com.cloud.sdk.auth.signer.DefaultSigner.class of libs/java-sdk-core-*.jar
Java (3.1.0 or later)
Sign function in com.cloud.sdk.auth.signer.Signer.class of libs/java-sdk-core-*.jar
cpp
Signer::createSignature function in signer.cpp.
csharp
Sign function in signer.cs
c
sig_sign function in signer.c
go
Sign function in signer.go
js
Signer.prototype.Sign function in signer.js
php
Sign function in signer.php
python
Sign function in signer.py
- Check whether the domain name, method, protocol, path, query strings, headers, and body parameters of canonicalRequest obtained in 1 are the same as those obtained in 2.
- If they are different, the common causes are as follows:
- Some HTTP clients automatically add charset=utf-8 to the signature header content-type.
- The user used a proxy to forward requests. The URL, query strings, headers, and body in the request forwarded by the proxy to ROMA Connect are inconsistent with those signed by the client.
- Some HTTP clients automatically ignore the body of requests that use the GET or DELETE method.
- Some earlier version SDKs do not allow special characters in URLs.
- Some earlier version SDKs do not support query strings that contain a key with multiple values, for example, ?a=1&a=2.
- Some earlier version SDKs do not allow query strings in URLs.
- The user-agent header in the actual request is different from the signed user-agent header.
- Multiple headers with the same name exist.
- Multiple query strings with the same name exist.
- The cannonicalRequest contains the authorization header, which conflicts with the signature header.
- If they are consistent, check whether the AppSecret or SK is correct.
Common cause: The AppSecret or SK contains unnecessary spaces.
- If they are different, the common causes are as follows:
Incorrect IAM authentication information: AK access failed to reach the limit,forbidden
{
"error_msg": "Incorrect IAM authentication information: AK access failed to reach the limit,forbidden." ......
"error_code": "APIC.0301",
"request_id": "******"
}
Possible Cause
- The AK/SK signature is incorrectly calculated. Resolve the problem by referring to Incorrect IAM authentication information: verify aksk signature fail.
- The SK corresponding to the AK does not match.
- AK/SK authentication fails for more than five consecutive times, and the AK/SK pair is locked for five minutes. (Authentication requests are rejected within this period).
- The token has expired during token authentication.
Incorrect IAM authentication information: decrypt token fail
{
"error_msg": "Incorrect IAM authentication information: decrypt token fail",
"error_code": "APIC.0301",
"request_id": "******"
}
Possible Cause
The token cannot be parsed for IAM authentication of the API.
Solution
- Check whether the token is correct.
- Check whether the token has been obtained in the environment where the API is called.
Incorrect IAM authentication information: Get secretKey failed
{
"error_msg": "Incorrect IAM authentication information: Get secretKey failed,ak:******,err:ak not exist",
"error_code": "APIC.0301",
"request_id": "******"
}
Possible Cause
The AK used for IAM authentication of the API does not exist.
Solution
Check whether the AK is correct.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
