This article describes the common error codes and causes when you try to access Object Storage Service (OSS) resources by calling the AssumeRole operation in Security Token Service (STS).
The following table describes the common error codes and causes.
|ErrorCode: NoPermission ErrorMessage: Roles may not be assumed by root accounts.||Use the AccessKey pair of a Resource Access Management (RAM) user instead of that of an Alibaba Cloud account because the AssumeRole operation must be called by a RAM user.|
|ErrorCode: MissingSecurityToken ErrorMessage: SecurityToken is mandatory for this action.||Temporary access credential information is missing. Temporary access credential information consists of an AccessKey ID, AccessKey secret, and security token. The temporary access credential information is generated when you use a RAM user to call the AssumeRole operation of RAM. You must pass in the AccessKeyId, AccessSecret, and SecurityToken parameters when you use the temporary access credential information to call the API operations of other services.|
|Error code: InvalidAccessKeyId.NotFound Error message: Specified access key is not found||The AccessKey ID is invalid. Make sure that you enter the AccessKey ID correctly and remove leading and trailing spaces from the AccessKey ID.|
|Error code: InvalidAccessKeyId.Inactive Error message: Specified access key is disabled.||The AccessKey ID of the RAM user is disabled. Enable the AccessKey pair, or use another AccessKey pair. Log on to the RAM Console, clickthat you want to check. This way, you can confirm whether the AccessKey pair is enabled.|
|ErrorCode: InvalidParameter.PolicyGrammar ErrorMessage: The parameter Policy has not passed grammar check.||The policy attached to the RAM role is invalid. You can determine whether to attach a policy to the RAM role. If you attach a policy to the RAM role, the effective permissions of the temporary user are an intersection of the attached authorization policy and the permissions of the role. If no policy is attached, the permissions of the role are the effective permissions for the temporary user. When this error is reported, check the attached authorization policy. We recommend that you do not attach policies to temporary users. To attach a policy to the role, use RAM Policy Editor to generate a policy. For more information, visit RAM Policy Editor.|
|ErrorCode: InvalidParameter.RoleSessionNameErrorMessage: The parameter RoleSessionName is wrongly formed.||RoleSessionName specified for AssumeRole is invalid. This parameter is used to identify different tokens to indicate who is using a specific token, which facilitates audit. The role session name must be 2 to 32 characters in length. Format: ^[a-zA-Z0-9.@-_]+$. For more information, see AssumeRole. For example, the names such as a, 1, abc\*abc, and Teenage Mutant Ninja Turtles are invalid.|
|ErrorCode: InvalidParameter.DurationSeconds Error message: The Min/Max value of DurationSeconds is 15min/1hr.||The specified validity period is invalid. In other words, the AssumeRoleRequest.setDurationSeconds parameter value is invalid. The validity period in seconds can be specified. The validity period is between 900 and 3600 seconds. For example, assumeRoleRequest.setDurationSeconds(60L * 20) indicates that the validity period is 20 minutes.|
|ErrorCode: NoPermissionErrorMessage: No permission perform sts:AssumeRole on this Role. Maybe you are not authorized to perform sts:AssumeRole or the specified role does not trust you.||
|Error code: NoPermission Error message: You are not authorized to do this action. You should be authorized by RAM.||For more information, see The "You are not authorized to do this action. You should be authorized by RAM" error occurred when you use STS to authorize temporary access.|