Announcement of changes to the authentication mechanism for Alibaba Cloud ECS query API operations -

To reduce permission determination complexity and improve permission management experience when Resource Access Management (RAM) users and roles are used to call API operations, Alibaba Cloud Elastic Compute Service (ECS) will upgrade the authentication mechanism for query (Describe) API operations on December 20, 2025 (UTC+8). This upgrade will standardize the return values when API calls lack permissions, including but not limited to SDK, CLI, and Terraform call methods.

Effective time

December 20, 2025 (UTC+8)

Affected regions

All regions

Adjustment content

The response is upgraded when you use a RAM user or role to call an ECS query (Describe) API operation without the required permissions. Before the upgrade, the operation returns an empty resource list with HttpCode:200 (OK). After the upgrade, the operation returns an error response with HttpCode:403 (Forbidden), which indicates an authentication failure.

Comparison before and after the upgrade

Comparison item	Before the upgrade	After the upgrade
Return result	Empty resource list (HTTP 200)	Authentication failure (HTTP 403)
Error code	None	`Forbidden.RAM`
Error message	None	`User not authorized to operate on the specified resource, or this API doesn't support RAM.` or similar error message
Diagnostic information	None	`AccessDeniedDetail` field

In this example, the DescribeInstances operation is used. If you call the operation without the ecs:DescribeInstances permission, the following responses are returned before and after the upgrade:

Before the upgrade

After the upgrade

{
  "RequestId": "ABCD-1234-1234-ABCD",
  "Instances": {
    "Instance": []
  },
  "NextToken": "",
  "PageNumber": 1,
  "PageSize": 10,
  "TotalCount": 0
}

{
  "RequestId": "ABCD-1234-1234-ABCD",
  "HostId": "ecs.cn-hangzhou.aliyuncs.com",
  "Code": "Forbidden.RAM",
  "Message": "User not authorized to operate on the specified resource, or this API doesn't support RAM.",
  "Recommend": "https://api.aliyun.com/troubleshoot?q=Forbidden.RAM&product=Ecs&requestId=ABCD-1234-1234-ABCD",
  "AccessDeniedDetail": {
    "AuthAction": "ecs:DescribeInstances",
    ...
  }
}

Affected API operations

Service	API version	Operation
ECS	2014-05-26	DescribeInstances
ECS	2014-05-26	DescribeDisks

SDK call adaptation

Capture the permission failure (Exception) in your code and handle it accordingly. The Exception element contains the AccessDeniedDetail field that describes the detailed reason for the permission failure. You can obtain the field by using the getAccessDeniedDetail() function. Java examples:

SDK V1.0 for Java example:

// Generate an SDK request.
DescribeXXXRequest request = new DescribeXXXRequest();
try {
    DescribeXXXResponse response = client.getAcsResponse(request);
} catch (ServerException e) {
    // Display the error code.
    System.out.println(e.getErrCode());
} catch (ClientException e) {
    // Display the error code. For permission errors, Forbidden.RAM is returned.
    System.out.println(e.getErrCode());
    // Get detailed reason for the permission failure.
    System.out.println(e.getAccessDeniedDetail());
}

SDK V2.0 for Java example:

DescribeXXXRequest request = new DescribeXXXRequest();
try {
    client.describeXXX(request);
} catch (TeaException e) {
    // Display the error code. For permission errors, Forbidden.RAM is returned.
    System.out.println(e.getErrCode());
    // Get detailed reason for the permission failure.
    System.out.println(e.getAccessDeniedDetail());
}

The following table describes SDK call adaptation for other languages and versions.

Language	Version	Adaptation document link
Python	V1.0	Handle exceptions
Python	V2.0	Exception handling
PHP	V1.0	Handle an exception
PHP	V2.0	Handle an exception
Node.js	V1.0	Handle exceptions
Node.js	V2.0	Handle exceptions
.NET	V1.0	Handle an exception
.NET	V2.0	Exception handling
Go	V2.0	Exception handling

Note

Support for Alibaba Cloud SDK V1.0 for Go has ended. For more information, see End of support for Alibaba Cloud SDK V1.0 for Golang on March 1, 2025. We recommend that you use Alibaba Cloud SDK V2.0 for Go.

Solutions and support

Permission diagnosis and troubleshooting

When a permission error occurs, the response includes the AccessDeniedDetail field that provides detailed information about the permission denial. You can parse this information by using one of the following methods:

Call the DecodeDiagnosticMessage operation of RAM.
Enter the request ID (RequestId) on the OpenAPI Troubleshoot page to obtain permission error details and solutions.
Use the Troubleshoot page in the RAM console.

For more information, see How do I troubleshoot an access denied error?

Permission configuration suggestions

Grant required operation permissions

If you confirm that the AuthAction permission is required for your operation, contact your Alibaba Cloud account owner or permission administrator to grant permissions to your RAM user or grant permissions to your RAM role based on the diagnostic results.

Handle compatibility

To capture and identify error responses, use try...catch to catch the corresponding exception and check if the error code is Forbidden.RAM, which indicates that the RAM user lacks the required RAM permissions.