Multistore

Appearance

Error Codes

The proxy returns S3-compatible error responses in XML format:

xml
<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  <RequestId>550e8400-e29b-41d4-a716-446655440000</RequestId>
</Error>

Error Types

ErrorHTTP StatusS3 CodeWhen
BucketNotFound404NoSuchBucketRequested bucket doesn't exist in config
NoSuchKey404NoSuchKeyKey not found in backend (forwarded from backend response)
AccessDenied403AccessDeniedCaller lacks permission for the requested operation
SignatureDoesNotMatch403SignatureDoesNotMatchSigV4 signature verification failed
MissingAuth403AccessDeniedAuthentication required but no credentials provided
ExpiredCredentials403ExpiredTokenTemporary credentials have expired
InvalidOidcToken400InvalidIdentityTokenJWT validation failed (bad signature, untrusted issuer, etc.)
RoleNotFound403AccessDeniedRequested role doesn't exist in config
InvalidRequest400InvalidRequestMalformed S3 request
BackendError503ServiceUnavailableBackend object store is unreachable or returned an error
PreconditionFailed412PreconditionFailedConditional request failed (If-Match, etc.)
NotModified304NotModifiedConditional request — content not changed
ConfigError500InternalErrorInvalid proxy configuration
Internal500InternalErrorUnexpected internal error

STS Error Responses

STS errors follow the AWS STS error format:

xml
<ErrorResponse>
  <Error>
    <Code>InvalidIdentityToken</Code>
    <Message>Token signature verification failed</Message>
  </Error>
  <RequestId>550e8400-e29b-41d4-a716-446655440000</RequestId>
</ErrorResponse>
HTTP StatusCodeWhen
400MalformedPolicyDocumentRole not found in config
400InvalidIdentityTokenJWT invalid, untrusted issuer, algorithm unsupported, subject mismatch
400InvalidParameterValueMissing required STS parameters
403AccessDeniedGeneral authorization failure
500InternalErrorUnexpected error during token exchange

Error Message Safety

NOTE

For 5xx errors, the proxy returns generic messages to avoid leaking internal infrastructure details. The full error is logged server-side but not exposed to clients. For 4xx errors, descriptive messages are returned to help clients debug authentication and authorization issues.