☁️ Reading AWS CLI Error Messages
4 exercises — read real AWS CLI error output. Tell apart AccessDenied, missing credentials, ExpiredToken, and throttling — four failure stages that each need a different fix.
AWS CLI error anatomy
An error occurred (ErrorCode) when calling the OperationName operation: messageis the standard shape- The ErrorCode (in parentheses) is the specific, machine-readable category — read it first
- The OperationName tells you exactly which API call was attempted
- "Unable to locate credentials" happens client-side, before any request reaches AWS
Talking about it out loud (Slack / stand-up)
- "Getting AccessDenied on PutObject — looks like a permissions issue on my role, not the file."
- "CLI can't find any credentials — I need to run aws configure or log in via SSO again."
- "It's not a permissions problem, my session token's just expired — logging back in."
- "We're getting throttled, not blocked — I'll add backoff so it stops hammering the API."
0 / 4 completed
1 / 4
aws s3 cp output — AccessDenied
{ex.passage} The upload fails with
(AccessDenied) ... Access Denied. What does this actually tell you — and what does it NOT tell you?AccessDenied is a permissions error, not a "not found" error — and AWS intentionally keeps it vague.
The operation named in the message,
Why AWS doesn't say more: for security reasons, AWS deliberately returns the same
How to debug: check the caller's identity with
How to describe this to a colleague: "The upload's getting AccessDenied on PutObject — looks like a permissions issue on my role, not a problem with the file itself." Precisely naming the operation (
The operation named in the message,
PutObject, tells you exactly which S3 API call was attempted (uploading an object). AccessDenied means the caller's IAM identity (user, role, or federated identity) lacks the required permission — most commonly a missing s3:PutObject action in its policy, a bucket policy that explicitly denies the action, or an SCP (Service Control Policy) restricting it at the AWS Organization level.Why AWS doesn't say more: for security reasons, AWS deliberately returns the same
AccessDenied whether the bucket exists and you lack permission, or the bucket doesn't exist at all — this prevents attackers from using error messages to enumerate which resources exist in someone else's account.How to debug: check the caller's identity with
aws sts get-caller-identity, then review the attached IAM policies and the target bucket's bucket policy for an explicit Deny or a missing Allow.How to describe this to a colleague: "The upload's getting AccessDenied on PutObject — looks like a permissions issue on my role, not a problem with the file itself." Precisely naming the operation (
PutObject) rather than just saying "it's broken" gets you a faster answer from whoever owns IAM.