awsseverity: workaround
AccessDenied

AWS AccessDenied — User/role is not authorized to perform action

AccessDenied: user is not authorized to perform <action>

85% fixable~10 mindifficulty: intermediate

Verified against AWS IAM docs (troubleshoot-access-denied), AWS SDK v3 error schema, AWS CloudTrail best practices · Updated April 2026

> quick_fix

The IAM user or role making the request doesn't have the required permission. Read the full error — AWS tells you exactly which action was denied (e.g., "s3:PutObject"). Attach a policy granting that action to the user or role.

// Example: inline policy granting s3:PutObject on a specific bucket
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::my-bucket/*"
  }]
}

What causes this error

AWS IAM follows deny-by-default. Every API call is evaluated against the identity's attached policies, the resource policy (if any), and any SCPs from AWS Organizations. If no policy explicitly allows the action and no deny overrules an allow, AWS returns AccessDenied with the exact action name that was denied.

> advertisementAdSense placeholder

How to fix it

  1. 01

    step 1

    Read the full error for the action name

    The error format is: "User arn:... is not authorized to perform: service:Action on resource: ...". Copy that exact action string.

  2. 02

    step 2

    Identify the IAM identity making the call

    The ARN in the error tells you: iam::123456789012:user/alice or assumed-role/MyLambdaRole/i-xxxxx. Go to IAM → Users or Roles → that identity.

  3. 03

    step 3

    Check attached policies

    Does any attached policy Allow the denied action on the target resource? If not, attach an AWS-managed policy (e.g., AmazonS3ReadOnlyAccess) or write a least-privilege inline policy.

  4. 04

    step 4

    Test with IAM Policy Simulator

    Before re-running your code, use the IAM Policy Simulator (iam.aws.amazon.com/iam/home#/policies/sim) to confirm the user now has the permission.

  5. 05

    step 5

    For cross-account or SCP denies

    If the policy looks right but it still denies, check for a resource policy (e.g., S3 bucket policy) that explicitly denies your ARN, or an SCP from AWS Organizations that restricts the action at the account level.

Frequently asked questions

Does AccessDenied mean my credentials are wrong?

No. That would be InvalidAccessKeyId or SignatureDoesNotMatch. AccessDenied means AWS knows who you are but the identity lacks the required permission.

Why does AccessDenied sometimes show "Encoded authorization failure message"?

For security, AWS masks the exact deny reason for some services. Decode it with `aws sts decode-authorization-message --encoded-message <base64>`.

How do I find the minimum required policy?

Enable CloudTrail and look at the API calls the identity tried. The CloudTrail event shows the exact action. Build a policy with just those actions.

disclosure:Errordex runs AdSense and has zero affiliate links or sponsored content. Every fix is manually verified against official sources listed in the “sources” sidebar. If a fix here didn’t work for you, please email so we can update the page.