All Products
Document Center

How to handle the common errors when you access OSS by using STS

Last Updated: Jul 30, 2021


This article describes the common error codes and causes when you try to access Object Storage Service (OSS) resources by calling the AssumeRole operation in Security Token Service (STS).


The following table describes the common error codes and causes.

Error code Cause
ErrorCode: NoPermission ErrorMessage: Roles may not be assumed by root accounts. Use the AccessKey pair of a Resource Access Management (RAM) user instead of that of an Alibaba Cloud account because the AssumeRole operation must be called by a RAM user.
ErrorCode: MissingSecurityToken ErrorMessage: SecurityToken is mandatory for this action. Temporary access credential information is missing. Temporary access credential information consists of an AccessKey ID, AccessKey secret, and security token. The temporary access credential information is generated when you use a RAM user to call the AssumeRole operation of RAM. You must pass in the AccessKeyId, AccessSecret, and SecurityToken parameters when you use the temporary access credential information to call the API operations of other services.
Error code: InvalidAccessKeyId.NotFound Error message: Specified access key is not found The AccessKey ID is invalid. Make sure that you enter the AccessKey ID correctly and remove leading and trailing spaces from the AccessKey ID.
Error code: InvalidAccessKeyId.Inactive Error message: Specified access key is disabled. The AccessKey ID of the RAM user is disabled. Enable the AccessKey pair, or use another AccessKey pair. Log on to the RAM Console, click Users, and then click the user logon name that you want to check. This way, you can confirm whether the AccessKey pair is enabled.
ErrorCode: InvalidParameter.PolicyGrammar ErrorMessage: The parameter Policy has not passed grammar check. The policy attached to the RAM role is invalid. You can determine whether to attach a policy to the RAM role. If you attach a policy to the RAM role, the effective permissions of the temporary user are an intersection of the attached authorization policy and the permissions of the role. If no policy is attached, the permissions of the role are the effective permissions for the temporary user. When this error is reported, check the attached authorization policy. We recommend that you do not attach policies to temporary users. To attach a policy to the role, use RAM Policy Editor to generate a policy. For more information, visit RAM Policy Editor.
ErrorCode: InvalidParameter.RoleSessionNameErrorMessage: The parameter RoleSessionName is wrongly formed. RoleSessionName specified for AssumeRole is invalid. This parameter is used to identify different tokens to indicate who is using a specific token, which facilitates audit. The role session name must be 2 to 32 characters in length. Format: ^[a-zA-Z0-9.@-_]+$. For more information, see AssumeRole. For example, the names such as a, 1, abc\*abc, and Teenage Mutant Ninja Turtles are invalid.
ErrorCode: InvalidParameter.DurationSeconds Error message: The Min/Max value of DurationSeconds is 15min/1hr. The specified validity period is invalid. In other words, the AssumeRoleRequest.setDurationSeconds parameter value is invalid. The validity period in seconds can be specified. The validity period is between 900 and 3600 seconds. For example, assumeRoleRequest.setDurationSeconds(60L * 20) indicates that the validity period is 20 minutes.
ErrorCode: NoPermissionErrorMessage: No permission perform sts:AssumeRole on this Role. Maybe you are not authorized to perform sts:AssumeRole or the specified role does not trust you.
  • Cause 1: The RAM user that assumes the role has no permissions. You must grant the RAM user the AliyunSTSAssumeRoleAccess system authorization permission.
  • Cause 2: The Alibaba Cloud account ID for the RAM user who sent a request to assume the role does not match the trusted Alibaba Cloud account ID for the role. The role creator must confirm and modify the Alibaba Cloud account ID. The Alibaba Cloud account ID for the RAM user is the ID of the Alibaba Cloud user who created the RAM user. The Alibaba Cloud account ID for the role is the Alibaba Cloud account ID for the Alibaba Cloud user who created this role.
  • Cause 3: The role type is incorrect. If the type of roles is classified into user roles and service roles, the temporary user are not allowed to use AssumeRole to assume a service role.
Error code: NoPermission Error message: You are not authorized to do this action. You should be authorized by RAM. For more information, see The "You are not authorized to do this action. You should be authorized by RAM" error occurred when you use STS to authorize temporary access.
  • For more information about the examples on how to assume a role by using Java, visit GitHub.
  • For more examples on AssumeRole, see STS SDK overview.

Application scope

  • OSS
  • RAM