CRITICAL

How to Fix Alibaba Cloud InvalidAccessKeyId.NotFound

Quick Fix Summary

TL;DR

Verify your AccessKey ID exists in the RAM console and has correct permissions.

The Alibaba Cloud API cannot find the AccessKey ID used in the request. This is a critical authentication failure that blocks all API and SDK operations.

Diagnosis & Causes

  • AccessKey ID was deleted or disabled in RAM.
  • AccessKey belongs to a RAM user that was deleted.
  • Using AccessKey from wrong Alibaba Cloud account.
  • AccessKey has expired or been rotated.
  • Typographical error in the AccessKey ID string.

    • Recovery Steps

    1

    Step 1: Verify AccessKey Existence in RAM Console

    Log into the Alibaba Cloud console and navigate to RAM to confirm the AccessKey ID exists and is active.

    bash 
    # 1. Log into Alibaba Cloud Console: https://ram.console.aliyun.com/users
# 2. Navigate to 'Identities' > 'Users'
# 3. Find your user, click 'Security Credentials'
# 4. Verify your AccessKey ID is listed and status is 'Active'
    2

    Step 2: Check RAM User Status and Permissions

    Ensure the RAM user associated with the AccessKey is active and has the necessary authorization policies attached.

    bash 
    # Use Alibaba Cloud CLI to check user and policies (replace $USER_NAME)
aliyun ram GetUser --UserName $USER_NAME
aliyun ram ListPoliciesForUser --UserName $USER_NAME
    3

    Step 3: Validate Credentials with a Simple API Call

    Use the Alibaba Cloud CLI or SDK with the suspected credentials to make a simple, read-only API call for validation.

    bash 
    # Test with CLI (configure credentials first: aliyun configure)
aliyun ecs DescribeRegions
# Test with Python SDK (install aliyun-python-sdk-core)
from aliyunsdkcore.client import AcsClient
client = AcsClient('<AccessKeyId>', '<AccessKeySecret>', 'cn-hangzhou')
request = DescribeRegionsRequest.DescribeRegionsRequest()
response = client.do_action_with_exception(request)
    4

    Step 4: Cross-Account Validation

    Confirm you are using credentials for the correct Alibaba Cloud main account. AccessKeys are not shared across accounts.

    bash 
    # Get the Account ID associated with your AccessKey via STS
aliyun sts GetCallerIdentity
    5

    Step 5: Create and Apply New AccessKey (Last Resort)

    If the old key is lost or invalid, create a new one and immediately update all application configurations.

    bash 
    # Create new AccessKey for a RAM User
aliyun ram CreateAccessKey --UserName $USER_NAME
# SECURITY: Immediately update environment variables and config files
export ALIBABACLOUD_ACCESS_KEY_ID='new_id'
export ALIBABACLOUD_ACCESS_KEY_SECRET='new_secret'

    Architect's Pro Tip

    "For production systems, use RAM roles attached to ECS instances instead of hard-coded AccessKeys. This eliminates key rotation downtime and is more secure."

    Frequently Asked Questions

    Can I get this error if my AccessKey Secret is wrong but the ID is correct?

    No. 'InvalidAccessKeyId.NotFound' specifically means the *ID* itself is unrecognized. A wrong Secret returns 'InvalidAccessKeyId.Inactive' or 'SignatureDoesNotMatch'.

    My code works locally but fails on my server with this error. Why?

    Your server environment (e.g., environment variables, configuration file) is likely loading a different, invalid AccessKey ID than your local development environment.

    How do I prevent this error during AccessKey rotation?

    Use a two-phase update: 1) Create and deploy the new AccessKey alongside the old one. 2) After verifying the new key works, remove the old one. Never delete the active key first.

    Related Alibaba Cloud Guides

    Throttling.User

    How to Fix Alibaba Cloud Throttling.User API Limit
    Node NotReady

    How to Fix Alibaba Cloud Node NotReady
    OOMKilled

    Root Cause Analysis: Why Alibaba Cloud ACK Pods Get OOMKilled