Misleading error message with unauthorized credentials

[ducminh-phan]

Expected behavior

Clear error message with unauthorized credentials

Actual behavior

Ambiguous error message when unauthorized credentials are provided: mc: <ERROR> Unable to prepare URL for copying. Unable to guess the type of copy operation.

Compared to awscli's message: fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

Steps to reproduce the behavior

1. Set an alias with valid credentials, but restricted to a bucket, say bucket_a

   mc alias set test_s3 https://s3.amazonaws.com AKIA... hunter2...

2. Copy a file from a second bucket, on which the credentials have no permissions

   mc cp test_s3/bucket_b/file.zip .

Debug output:

❯ mc cp test_s3/bucket_b/snapshot.zip . --debug
 0 B / ?  ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓
mc: <DEBUG> HEAD /snapshot.zip HTTP/1.1
Host: **REDACTED**.s3.dualstack.eu-central-1.amazonaws.com
User-Agent: MinIO (darwin; arm64) minio-go/v7.0.88 mc/RELEASE.2025-03-12T17-29-24Z
Authorization: AWS4-HMAC-SHA256 Credential=**REDACTED**/20250603/eu-central-1/s3/aws4_request, SignedHeaders=host;x-amz-checksum-mode;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Checksum-Mode: ENABLED
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20250603T023639Z

mc: <DEBUG> HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Tue, 03 Jun 2025 02:36:40 GMT
Server: AmazonS3
X-Amz-Id-2: **REDACTED**
X-Amz-Request-Id: **REDACTED**

mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Amazon
mc: <DEBUG>  >> Expires: 2026-05-14 23:59:59 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Amazon
mc: <DEBUG>  >> Expires: 2030-08-23 22:21:28 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Starfield Technologies, Inc.
mc: <DEBUG>  >> Expires: 2037-12-31 01:00:00 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Starfield Technologies, Inc.
mc: <DEBUG>  >> Expires: 2034-06-28 17:39:16 +0000 UTC
mc: <DEBUG> Response Time:  1.195231625s

mc: <ERROR> Unable to prepare URL for copying. Unable to guess the type of copy operation.
 (2) cp-main.go:300 cmd.printCopyURLsError(..)
 (1) cp-url.go:339 cmd.prepareCopyURLs.func1(..) Tags: [**REDACTED**]
 (0) typed-errors.go:46 cmd.init.func18(..)
 Release-Tag:RELEASE.2025-03-12T17-29-24Z | Commit:c1d5d4cbb4ca | Host:**REDACTED** | OS:darwin | Arch:arm64 | Lang:go1.24.1 | Mem:3.3 MiB/14 MiB | Heap:3.3 MiB/7.3 MiB

mc --version

mc version RELEASE.2025-03-12T17-29-24Z (commit-id=c1d5d4cbb4caf05afef3ea06a91a56bd778336de)
Runtime: go1.24.1 darwin/arm64
Copyright (c) 2015-2025 MinIO, Inc.
License GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>

[ravindk89]

@ducminh-phan this is expected behavior because of what happens after step 1.

mc alias set test_s3 https://s3.amazonaws.com foobar123 foobar123                                1 ✘ 
mc: <ERROR> Unable to initialize new alias from the provided credentials. The AWS Access Key Id you provided does not exist in our records.

The error actually originates directly from the response returned by AWS:

mc: <DEBUG> HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Mon, 02 Jun 2025 16:03:29 GMT
Server: AmazonS3
X-Amz-Id-2: ryJNM2zlI/G1RVHalVGGOrQEbfEmga+4Trdm9Y1jXrDNyx4wwKbYHi6bBTyheWbqdaYTDyYZFs4=
X-Amz-Request-Id: PAS1EQEB3W8NWYQZ

157
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidAccessKeyId</Code><Message>The AWS Access Key Id you provided does not exist in our records.</Message><AWSAccessKeyId>foobar123</AWSAccessKeyId><RequestId>PAS1EQEB3W8NWYQZ</RequestId><HostId>ryJNM2zlI/G1RVHalVGGOrQEbfEmga+4Trdm9Y1jXrDNyx4wwKbYHi6bBTyheWbqdaYTDyYZFs4=</HostId></Error>
0

mc: <DEBUG> TLS Certificate found: 
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Amazon
mc: <DEBUG>  >> Expires: 2026-02-07 23:59:59 +0000 UTC
mc: <DEBUG> TLS Certificate found: 
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Amazon
mc: <DEBUG>  >> Expires: 2030-08-23 22:21:28 +0000 UTC
mc: <DEBUG> TLS Certificate found: 
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Starfield Technologies, Inc.
mc: <DEBUG>  >> Expires: 2037-12-31 01:00:00 +0000 UTC
mc: <DEBUG> TLS Certificate found: 
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Starfield Technologies, Inc.
mc: <DEBUG>  >> Expires: 2034-06-28 17:39:16 +0000 UTC
mc: <DEBUG> Response Time:  17.665543ms

If you run mc alias list you will not see test_s3 in the list, as the alias does not exist (due to the error)

Thus in step 2, what mc is doing is attempting to actually copy the local folder/path to ., which it cannot do because cannot guess what you want to accomplish.

If you can run step 1 again and provide the output here you should see an error related to setting the Alias.

[ducminh-phan]

@ravindk89 Sorry 😢 I should have made it clearer. The credentials used in mc alias set test_s3 are valid, but restricted to bucket_a. Then we run mc cp test_s3/bucket_b/file.zip ., where the credentials stored in the alias have no permissions on bucket_b. I will update the description accordingly.