Permission and policy denials after identity has been authenticated.
Last reviewed: March 6, 2026|11 mapped errors
Authorization errors indicate that caller identity is known, but effective policy evaluation denies the requested action at the current scope.
Provider-specific error pages mapped to this category (11 total). Showing 1-11.
AWS AccessDenied usually means AWS authenticated the caller, then denied a specific action on a specific ARN after evaluating IAM, SCP, trust, boundary, session, or resource policy layers.
Amazon S3 BucketAlreadyExists means a CreateBucket request used a bucket name that is already allocated in the global S3 namespace, usually by another AWS account.
AWS DryRunOperation means a request submitted with the dry-run flag would have succeeded if executed for real. The operation was not performed, no resources were created or modified, but the IAM permissions and request parameters were valid.
AWS OptInRequired (Opt In Required) means the account or access key is not subscribed/opted in to the target AWS service. AWS common errors define it as "the AWS access key ID needs a subscription for the service" (HTTP 403).
Azure AADSTS50158 is a federated security signal indicating that Microsoft Entra ID requires an additional authentication challenge from an external provider, such as Okta, Duo, Ping, or AD FS, before sign-in can complete.
Azure AADSTS90093 is an administrative-approval failure. It indicates that the application is requesting high-privilege API scopes, such as `Directory.Read.All`, or that tenant policy forbids standard users from granting consent to any applications.
Azure returns `Forbidden` (403) when the caller is authenticated but blocked by authorization, policy, or service-level access controls.
GCP PERMISSION_DENIED means Google Cloud accepted the caller identity, then denied a named permission on a fully qualified resource after evaluating IAM allow, deny, and boundary controls.
HTTP 403 Forbidden means the server understood the request and often knows who the caller is, but policy or business rules still block this action on the target resource.
HTTP 417 Expectation Failed means the server cannot meet requirements in the Expect request header.
HTTP 425 Too Early means the server is unwilling to process a request that could be replayed.
Compare Guide
Fix 401 Unauthorized vs 403 Forbidden by separating authentication failures from authorization denials, then apply the right login or permission fix fast.
Compare Guide
Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.
Compare Guide
Compare AWS AccessDenied and GCP PERMISSION_DENIED to isolate authorization deny layers, separate auth failures, and apply precise IAM fixes fast.
Playbook
Use this playbook to triage policy-based access denials after authentication succeeds, isolate the deny layer, and apply least-privilege remediation safely.
Yes. Authentication proves identity, but authorization evaluates what that identity can do. Valid identity can still be denied by policy scope or explicit deny.
Rotating credentials before checking policy decisions. Most 403-like incidents are policy or scope problems, not token cryptography failures.
Audit policy evaluation by scope order (organization/account/project/resource) and log the first explicit deny source for each failed request.