Object Storage Service:"The OSS Access Key Id you provided does not exist in our records" error with STS temporary access credentials

Step 1: Verify the parent AccessKey ID

The parent AccessKey ID is the permanent key used to call the STS AssumeRole API. If this key is disabled or deleted, STS cannot issue valid temporary access credentials.

1. Log on to Security Management in the Alibaba Cloud Management Console.

2. Locate the AccessKey ID used to call AssumeRole and check its status.

   • Disabled: Enable the AccessKey ID, then request new temporary access credentials.

   • Not found: Create a new AccessKey pair and update your application to use it.

Step 2: Check for expired temporary access credentials

STS temporary access credentials are valid for a limited time. After they expire, all OSS requests made with them fail with this error.

Request a new set of temporary access credentials from your app server by calling AssumeRole again. Make sure your application refreshes credentials before they expire to avoid request failures.

The validity period for temporary access credentials ranges from 900 seconds (15 minutes) to the maximum session duration configured for the Resource Access Management (RAM) role. For details, see Specify the maximum session duration for a RAM role.

Step 3: Verify that the request includes the SecurityToken

STS temporary access credentials consist of three parts that must all be used together:

If your code uses only the AccessKey ID and AccessKey Secret without the SecurityToken, OSS returns error code InvalidAccessKeyId with the message: "The OSS Access Key Id you provided does not exist in our records. The Security Token may be lost to specify that it is a STS Access Id."

Initialize your OSS client with all three values. The following pseudocode shows the general flow:

assumeRoleResponse = stsClient.assumeRole(roleArn, roleSessionName, policy, durationSeconds)

// Use all three credentials from the response
accessKeyId     = assumeRoleResponse.Credentials.AccessKeyId
accessKeySecret = assumeRoleResponse.Credentials.AccessKeySecret
securityToken   = assumeRoleResponse.Credentials.SecurityToken

ossClient = createOSSClient(endpoint, accessKeyId, accessKeySecret, securityToken)

For language-specific implementation details, see Use STS temporary access credentials to access OSS, specifically Step 5: Obtain temporary access credentials.

Step 4: Confirm that the request uses the STS-issued AccessKey ID

Two different AccessKey IDs are involved in STS-based access:

• Parent AccessKey ID: The permanent key of the RAM user, used to call the AssumeRole API.

• Temporary AccessKey ID: The short-lived key returned by AssumeRole, used to make OSS requests.

If your code passes the parent AccessKey ID to the OSS client instead of the temporary one, OSS rejects the request because no SecurityToken matches a permanent key.

Verify that your OSS client uses the AccessKey ID from the AssumeRole response, not the one stored in your application configuration.