Error Code Reference
Comprehensive reference for HTTP status codes and cloud provider error codes.
HTTP
4848 error codes available
AWS
9090 error codes available
Azure
4343 error codes available
GCP
1818 error codes available
All Error Codes
Multiple Choices
Seeing a 300 Multiple Choices means the server found multiple representations of the resource and can't decide which one to return—different formats, languages, or versions are available. This client-side informational response (3xx) requires the client to choose. Most common when content negotiation offers multiple options, but also appears when resources exist in multiple formats, servers provide multiple versions, or Accept headers match several variants.
Moved Permanently
Getting a 301 Moved Permanently means the resource has permanently moved to a new URL—the Location header shows where it went, and you should update all references to use the new URL permanently. This client-side redirect (3xx) tells browsers and search engines the old URL is obsolete. Most common when APIs migrate endpoints, domains change, or URL structures are restructured, but also appears when resources are permanently relocated, old URLs are deprecated, or permanent redirects are configured.
Found
Seeing a 302 Found means the resource temporarily moved to a new URL—follow the Location header for this request, but keep using the original URL for future requests since it's temporary. This client-side redirect (3xx) is the classic temporary redirect, though browsers often change POST to GET. Most common when resources are temporarily relocated, maintenance mode redirects users, or A/B testing routes traffic, but also appears when temporary redirects are configured, maintenance windows redirect, or temporary location changes occur.
See Other
Getting a 303 See Other means the server wants you to fetch the result of your POST/PUT/DELETE operation using GET at a different URL—the Location header shows where to get the result, and you must use GET even if the original request was POST. This client-side redirect (3xx) is designed for POST-after-GET patterns. Most common after form submissions when results are available elsewhere, but also appears when POST operations redirect to result pages, form submissions redirect to confirmation pages, or operations redirect to status pages.
Not Modified
Getting a 304 Not Modified means the resource hasn't changed since your last request—the ETag or Last-Modified timestamp matches, so you can use your cached version. This client-side informational response (3xx) saves bandwidth by not sending the full response. Most common when conditional requests use If-None-Match or If-Modified-Since, but also appears when cached resources are still valid, ETags match, or Last-Modified timestamps are unchanged.
Use Proxy
Seeing a 305 Use Proxy means the server wants you to access the resource through a proxy specified in the Location header—this status code is deprecated and rarely used in modern web development. This client-side redirect (3xx) was meant for proxy configuration but is obsolete. Most common in legacy systems, but modern applications should use 307 or 308 redirects instead, or configure proxies directly without this status code.
Temporary Redirect
Getting a 307 Temporary Redirect means the resource temporarily moved to a new URL—follow the Location header using the same HTTP method (POST stays POST, PUT stays PUT). This client-side redirect (3xx) preserves the request method, unlike 302 which browsers may change POST to GET. Most common when resources are temporarily relocated and method must be preserved, but also appears when maintenance mode redirects, load balancing routes traffic, or temporary location changes occur.
Permanent Redirect
Getting a 308 Permanent Redirect means the resource permanently moved to a new URL—follow the Location header using the same HTTP method (POST stays POST, PUT stays PUT) and update all references permanently. This client-side redirect (3xx) is like 301 but preserves the request method. Most common when APIs permanently migrate endpoints and method must be preserved, but also appears when domains permanently change, URL structures are permanently restructured, or permanent redirects with method preservation are needed.
Bad Request
Seeing a 400 Bad Request means the server rejected your request because it's malformed—invalid JSON syntax, missing required fields, or parameters that violate validation rules. This client-side error (4xx) happens when the browser or API client sends data the server can't parse or validate. Most common in API calls where JSON payloads have syntax errors, but also appears when form submissions miss required fields or URLs contain invalid query parameters.
Unauthorized
Hitting a 401 Unauthorized means the server rejected your request because authentication is required—missing Authorization header, expired JWT token, or invalid credentials. This client-side error (4xx) occurs when the server can't verify your identity. Most common in API calls where Bearer tokens are missing or expired, but also appears when session cookies expire or login credentials are incorrect.
Payment Required
Hitting a 402 Payment Required means the server requires payment to access the resource—subscription expired, credit limit reached, or payment method failed. This client-side error (4xx) is reserved for future use but commonly implemented by APIs requiring payment. Most common when accessing premium content without active subscription, but also appears when free tier limits are exceeded, payment methods are invalid, or billing issues block access.
Forbidden
Getting a 403 Forbidden means the server knows who you are (unlike 401) but explicitly denies access—your user lacks permissions, the resource is restricted, or IP-based access control blocked you. This client-side error (4xx) happens after authentication succeeds but authorization fails. Most common when authenticated users try to access admin-only resources, but also appears when geographic restrictions, rate limiting, or firewall rules block requests.
Not Found
Seeing a 404 Not Found means the server couldn't locate the resource—wrong URL, deleted endpoint, typo in the path, or route handler doesn't exist. This client-side error (4xx) occurs when the request reaches the server but no route matches. Most common when API endpoints are misspelled or resources are deleted, but also appears when frontend routes don't match backend routes or HTTP methods are incorrect.
Method Not Allowed
Getting a 405 Method Not Allowed means you're using the wrong HTTP method—trying to DELETE on a GET-only endpoint, POST on a read-only route, or the server doesn't support that method for that path. This client-side error (4xx) happens when the route exists but the method is invalid. Most common when REST API conventions are violated (GET for updates), but also appears when CORS preflight OPTIONS requests aren't handled or methods are disabled by configuration.
Not Acceptable
Getting a 406 Not Acceptable means the server can't produce a response in any format your Accept header requests—asking for application/xml when the server only serves JSON, or requesting a language/encoding the server doesn't support. This client-side error (4xx) happens when content negotiation fails. Most common when Accept headers request unsupported MIME types, but also appears when language preferences (Accept-Language) aren't available, character encodings (Accept-Encoding) are unsupported, or quality values (q=) prioritize unavailable formats.
Proxy Authentication Required
Getting a 407 Proxy Authentication Required means the proxy server needs authentication before forwarding your request—similar to 401 but for proxy-level authentication. This client-side error (4xx) happens when corporate proxies, VPN gateways, or network proxies require credentials. Most common in enterprise networks with authenticated proxies, but also appears when proxy credentials expire, Proxy-Authorization headers are missing, or proxy configuration is incorrect.
Request Timeout
Getting a 408 Request Timeout means the server stopped waiting for your request—the client took too long to send the complete request body, network latency delayed transmission, or the server's timeout is too aggressive. This client-side error (4xx) happens when the server closes the connection because the request headers or body didn't arrive within the allowed window. Most common during large file uploads without proper streaming, but also appears when slow network connections, client-side processing delays, or aggressive server timeout configurations cut requests short.
Conflict
Hitting a 409 Conflict means your request collided with the server's current state—another process modified the resource, you tried to create a duplicate, or the operation conflicts with an in-progress transaction. This client-side error (4xx) happens when optimistic concurrency control detects state changes or business rules prevent the operation. Most common during concurrent edits where multiple users update the same resource, but also appears when creating resources with unique constraints, attempting state transitions that aren't allowed, or database transaction conflicts.
Gone
Seeing a 410 Gone means the resource was permanently deleted and won't come back—unlike 404 (might exist elsewhere), this explicitly signals intentional, permanent removal. This client-side error (4xx) happens when servers want to distinguish between "not found" (404) and "was here, now deleted forever" (410). Most common when users delete content, temporary resources expire, or URLs are intentionally removed, but also appears in APIs that implement soft-delete workflows or resource lifecycle management.
Length Required
Getting a 411 Length Required means the server needs a Content-Length header but your request doesn't include one—the server can't determine request body size upfront and refuses to accept chunked encoding or streams without explicit length. This client-side error (4xx) happens when servers require knowing payload size before processing. Most common in upload endpoints that validate size limits, but also appears when servers don't support Transfer-Encoding: chunked or need Content-Length for security/validation checks.
Precondition Failed
Hitting a 412 Precondition Failed means your conditional request headers (If-Match, If-None-Match, If-Modified-Since, If-Unmodified-Since) didn't match the server's current resource state—the ETag changed, the resource was modified, or the version check failed. This client-side error (4xx) happens when optimistic concurrency control validates request preconditions and they fail. Most common during concurrent edits where your If-Match ETag is stale, but also appears when conditional GET requests use If-None-Match to check cache validity or If-Modified-Since to verify freshness.
Payload Too Large
Getting a 413 Payload Too Large means your request body exceeds the server's size limits—file upload too big, JSON payload exceeds max size, or multiple large files in one request hit the configured ceiling. This client-side error (4xx) happens when servers enforce request body size limits to prevent resource exhaustion. Most common during file uploads that exceed limits, but also appears when API clients send large JSON payloads, batch operations include too many items, or uncompressed data could be compressed.
URI Too Long
Seeing a 414 URI Too Long means your URL exceeded the server's maximum length limit—too many query parameters, large data embedded in the path, or deeply nested routes pushed the URL past acceptable boundaries. This client-side error (4xx) happens when servers enforce URI length limits (typically 2048-8192 characters) to prevent buffer overflows and performance issues. Most common when GET requests include large arrays or objects in query strings, but also appears when filters/search parameters accumulate, base64-encoded data ends up in URLs, or path parameters become excessively long.
Unsupported Media Type
Getting a 415 Unsupported Media Type means the server rejected your request because the Content-Type header doesn't match what the endpoint accepts—sending JSON when it expects XML, uploading a file format the server can't process, or missing the Content-Type header entirely. This client-side error (4xx) happens when servers validate request media types before processing. Most common when file uploads use wrong MIME types or API calls send data in unsupported formats, but also appears when Accept headers request formats the server doesn't support or Content-Type is missing or malformed.
Range Not Satisfiable
Hitting a 416 Range Not Satisfiable means your Range header requested bytes outside the file's actual size—asking for bytes 1000-2000 on a 500-byte file, or the range format is invalid. This client-side error (4xx) happens when servers validate Range headers for partial content requests. Most common during video streaming or large file downloads where range calculations are wrong, but also appears when file sizes change between requests, range syntax is malformed, or multiple overlapping ranges confuse the server.
Expectation Failed
Getting a 417 Expectation Failed means the server couldn't meet the requirement in your Expect header—most commonly "Expect: 100-continue" where the server refuses to send a 100 Continue response before processing the request body. This client-side error (4xx) happens when servers reject expectation headers they don't support or can't fulfill. Most common when clients send Expect: 100-continue for large uploads but the server doesn't support it, but also appears when custom expectation values are unsupported, servers explicitly reject expectations, or proxy servers strip Expect headers.
I'm a Teapot
Hitting a 418 I'm a Teapot is a joke status code from RFC 2324 (Hyper Text Coffee Pot Control Protocol)—the server is humorously refusing to brew coffee because it identifies as a teapot. This client-side error (4xx) is intentionally whimsical and often used for testing, Easter eggs, or API humor. Most common when accessing joke endpoints or test routes, but also appears when developers implement RFC 2324 compliance, April Fools' pranks, or intentional API easter eggs.
Misdirected Request
Getting a 421 Misdirected Request means the request reached a server that can't handle it for the given scheme and authority—HTTP/2 requests hitting a server configured for different virtual hosts, or requests sent to the wrong server instance. This client-side error (4xx) happens when servers reject requests they're not configured to handle. Most common in HTTP/2 environments where requests are misrouted, but also appears when virtual host configurations don't match, load balancers route incorrectly, or DNS points to wrong servers.
Unprocessable Entity
Getting a 422 Unprocessable Entity means your request syntax is valid (unlike 400) but the data violates business rules or validation constraints—email format is wrong, required relationships are missing, or values break domain-specific rules. This client-side error (4xx) happens when servers validate request semantics after parsing succeeds. Most common in API calls where data passes JSON validation but fails business logic (e.g., duplicate email, invalid date ranges), but also appears when nested resources don't exist, foreign key constraints fail, or custom validation rules reject the data.
Locked
Hitting a 423 Locked means the resource is currently locked by another process or user—a file is in use, a database record has an active lock, or concurrent access is blocked. This client-side error (4xx) happens when servers enforce resource locking to prevent conflicts. Most common in WebDAV operations or file systems, but also appears when database transactions lock records, concurrent edits are prevented, or distributed locks are active.
Failed Dependency
Getting a 424 Failed Dependency means the operation failed because a required dependency operation failed—creating an order item when the order doesn't exist, or a nested operation in a batch request failed. This client-side error (4xx) is common in WebDAV but also appears in REST APIs with dependencies. Most common when creating nested resources where the parent fails, but also appears when batch operations have partial failures, transaction dependencies fail, or prerequisite operations don't complete.
Too Early
Hitting a 425 Too Early means the server rejected your request because it might be a replay attack—the request arrived too early in a timing window, or replay protection detected a potential duplicate. This client-side error (4xx) is used in HTTP/2 Server Push and HTTP/3 to prevent replay attacks. Most common when requests are sent too quickly after a previous request, but also appears when timing windows are violated, nonces are reused, or replay protection mechanisms trigger.
Upgrade Required
Hitting a 426 Upgrade Required means the server refuses your request because it requires a protocol upgrade—using HTTP/1.0 when the server needs HTTP/1.1, or trying HTTP when HTTPS is mandatory. This client-side error (4xx) happens when servers enforce minimum protocol versions. Most common when legacy clients use HTTP/1.0 on servers requiring HTTP/1.1, but also appears when servers require TLS upgrades, WebSocket upgrades are mandatory, or security policies enforce protocol minimums.
Precondition Required
Getting a 428 Precondition Required means the server requires conditional headers (If-Match, If-None-Match, If-Modified-Since, If-Unmodified-Since) but your request doesn't include them—the server enforces optimistic concurrency control and won't process requests without version checks. This client-side error (4xx) happens when servers mandate conditional requests to prevent lost updates. Most common when updating resources without ETag validation, but also appears when servers require If-Match for all modifications, delete operations need conditional headers, or security policies enforce version checks.
Too Many Requests
Hitting a 429 Too Many Requests means you've exceeded the rate limit—too many API calls in a time window, API quota exhausted, or DDoS protection triggered throttling. This client-side error (4xx) happens when servers enforce rate limiting to prevent abuse and ensure fair resource usage. Most common when clients make rapid-fire requests without throttling, but also appears when API quotas are reached, retry loops create request storms, or traffic spikes trigger automatic rate limiting.
Request Header Fields Too Large
Getting a 431 Request Header Fields Too Large means your request headers exceeded the server's size limit—too many cookies, large custom headers, or cumulative header size is too big. This client-side error (4xx) happens when servers enforce header size limits (typically 8-16KB) to prevent buffer overflows. Most common when Cookie headers accumulate and grow large, but also appears when custom headers contain too much data, multiple authentication tokens are sent, or debug headers add excessive size.
Unavailable For Legal Reasons
Hitting a 451 Unavailable For Legal Reasons means the server blocked access due to legal requirements—government censorship, DMCA takedown, geographic restrictions, or court orders. This client-side error (4xx) is a reference to Ray Bradbury's "Fahrenheit 451" and indicates legal compliance blocking. Most common when content is geo-blocked in certain regions, but also appears when DMCA takedowns remove content, government censorship blocks access, or legal compliance requires content removal.
Internal Server Error
Seeing a 500 Internal Server Error means the server crashed or encountered an unexpected condition—unhandled exceptions, database connection failures, memory exhaustion, or configuration mistakes. This server-side error (5xx) indicates the server failed, not your request. Most common when application code throws uncaught exceptions, but also appears when database connections fail, memory runs out, environment variables are missing, or server configuration is broken.
Not Implemented
Getting a 501 Not Implemented means the server doesn't support the HTTP method or feature you're requesting—trying PATCH on a server that only supports GET/POST, or requesting HTTP/2 features on an HTTP/1.1-only server. This server-side error (5xx) indicates a permanent limitation, not a temporary issue. Most common when using modern HTTP methods (PATCH, DELETE) on legacy servers, but also appears when requesting unsupported protocol features, WebDAV operations on non-WebDAV servers, or experimental HTTP extensions.
Bad Gateway
Getting a 502 Bad Gateway means the gateway or proxy server received an invalid response from the upstream server—the backend crashed, returned malformed data, or closed the connection unexpectedly. This server-side error (5xx) happens when infrastructure (load balancer, reverse proxy, API gateway) can't get a valid response from the application server. Most common when the backend application crashes or times out, but also appears when upstream servers return invalid HTTP responses, network issues break connections mid-request, or the backend is overloaded and can't respond.
Service Unavailable
Hitting a 503 Service Unavailable means the server is temporarily unable to handle requests—it's overloaded, under maintenance, or resources are exhausted. This server-side error (5xx) indicates a temporary condition that should resolve. Most common during traffic spikes that overwhelm the server, but also appears when maintenance mode is enabled, database connection pools are exhausted, or the server is scaling up to handle load.
Gateway Timeout
Getting a 504 Gateway Timeout means the gateway or proxy waited too long for the upstream server to respond—the backend took longer than the gateway's timeout, the request is still processing, or the backend is hung. This server-side error (5xx) happens when infrastructure (load balancer, reverse proxy) times out waiting for the application server. Most common when backend operations are slow (database queries, external API calls), but also appears when gateway timeout settings are too aggressive, network latency is high, or the backend is overloaded and can't respond in time.
HTTP Version Not Supported
Hitting a 505 HTTP Version Not Supported means the server doesn't support the HTTP protocol version you're using—requesting HTTP/2 or HTTP/3 on a server that only supports HTTP/1.1, or using an experimental version the server rejects. This server-side error (5xx) indicates a permanent protocol limitation. Most common when clients force HTTP/2 or HTTP/3 on legacy servers, but also appears when protocol negotiation fails, servers explicitly reject certain versions, or infrastructure doesn't support newer protocols.
Variant Also Negotiates
Getting a 506 Variant Also Negotiates means the server has a configuration error where a variant resource is trying to negotiate its own content, creating a negotiation loop. This server-side error (5xx) indicates an internal server misconfiguration, not a client problem. Most common when content negotiation is misconfigured, but also appears when variant resources are set up incorrectly, negotiation loops occur, or server configuration conflicts create recursive negotiation.
Insufficient Storage
Getting a 507 Insufficient Storage means the server ran out of disk space or hit storage quotas—the file system is full, storage quota exceeded, or there's no room to save uploaded files or generated data. This server-side error (5xx) happens when servers can't write data due to storage limits. Most common during large file uploads when disk space is exhausted, but also appears when log files fill up the disk, database storage quotas are reached, or temporary file storage runs out.
Loop Detected
Hitting a 508 Loop Detected means the server found an infinite loop while processing your request—circular references in resource structures, recursive operations that never terminate, or WebDAV depth infinity requests that create loops. This server-side error (5xx) happens when server logic detects it's stuck in a loop. Most common in WebDAV PROPFIND requests with depth infinity on circular structures, but also appears when recursive operations hit circular references, resource trees have cycles, or server processing logic creates loops.
Not Extended
Getting a 510 Not Extended means the server needs additional protocol extensions to process your request—the Require header lists extensions that must be included. This client-side error (4xx) happens when servers mandate specific HTTP extensions. Most common when servers require experimental or custom extensions, but also appears when protocol extensions are mandatory, extension negotiation fails, or servers enforce extension requirements.
Network Authentication Required
Hitting a 511 Network Authentication Required means you need to authenticate with the network before accessing the internet—captive portals in hotels, airports, or public Wi-Fi require login or terms acceptance. This client-side error (4xx) happens when network infrastructure intercepts requests to force authentication. Most common when connecting to public Wi-Fi that requires login, but also appears when corporate networks require authentication, terms of service must be accepted, or network access control (NAC) systems block unauthenticated devices.
Access Denied
Getting hit with an **AccessDenied** error usually means your IAM User or Role lacks the specific JSON policy required to perform the action—the policy might be missing the exact Action, Resource ARN, or Condition needed. This client-side error (4xx) happens when AWS evaluates your IAM policies and denies access. Most common when IAM policies don't grant the specific permission, but also appears when Service Control Policies (SCPs) block actions, resource-based policies deny access, Security Groups block network access, or VPC endpoints aren't configured correctly.
Invalid Parameter Value
Hitting an **InvalidParameterValue** error means one of your API parameters has the wrong format, is out of range, or violates AWS service constraints—EC2 instance types must be valid, S3 bucket names must follow naming rules, or IAM role names must match patterns. This client-side error (4xx) happens when AWS validates your request parameters before processing. Most common when EC2 instance types are invalid, S3 bucket names violate rules, or IAM resource names don't match patterns, but also appears when parameter values exceed limits, unsupported combinations are used, or data types don't match expected formats.
Bucket Already Exists
Hitting a **BucketAlreadyExists** error means your S3 bucket name is already taken globally—S3 bucket names are unique across all AWS accounts worldwide, so someone else already claimed that name. This client-side error (4xx) happens when AWS validates bucket name uniqueness. Most common when bucket names are too generic, but also appears when recently deleted buckets are still in the 90-day deletion grace period, bucket names violate S3 naming rules, or you're trying to create a bucket that already exists in your account.
No Such Bucket
Getting a **NoSuchBucket** error means the S3 bucket you're trying to access doesn't exist in your AWS account, or you don't have permission to see it—the bucket might have been deleted, the name is misspelled, or it's in a different region. This client-side error (4xx) happens when AWS can't find the bucket. Most common when bucket names have typos, but also appears when buckets were deleted, buckets are in different regions, IAM policies don't grant ListBucket permission, or you're accessing a bucket from another account without proper permissions.
No Such Key
Hitting a **NoSuchKey** error means the S3 object (file) you're trying to access doesn't exist at that key path in the bucket—the object might have been deleted, the key path is misspelled, or it's in a different folder. This client-side error (4xx) happens when AWS can't find the object at the specified key. Most common when object keys have typos, but also appears when objects were deleted, keys have incorrect paths, case sensitivity doesn't match, or objects are in different prefixes/folders.
Invalid Access Key ID
Getting an **InvalidAccessKeyId** error means your AWS Access Key ID doesn't exist in AWS—the key might have been deleted, it's misspelled, or it belongs to a different AWS account. This client-side error (4xx) happens when AWS can't find the access key in its records. Most common when access keys are deleted or rotated, but also appears when credentials are misconfigured, access keys are deactivated, or there's a typo in the key ID.
Signature Does Not Match
Getting a **SignatureDoesNotMatch** error means AWS calculated a different request signature than what you sent—your Secret Access Key is wrong, system clock is skewed, or the request was modified after signing. This client-side error (4xx) happens when AWS validates request signatures using Signature Version 4. Most common when Secret Access Keys are incorrect, but also appears when system clocks are out of sync (more than 15 minutes), requests are modified after signing, regions don't match, or signing algorithms are wrong.
Throttling Exception
Hitting a **Throttling** error means AWS is rate-limiting your requests—you're making too many API calls too quickly, exceeding service quotas, or exhausting burst capacity. This client-side error (4xx) happens when AWS enforces rate limits to protect service stability. Most common when DynamoDB, S3, or EC2 APIs are called too rapidly, but also appears when Service Quotas are exceeded, burst capacity is exhausted, or account-level throttling is active.
Resource Not Found
Getting a **ResourceNotFoundException** means the AWS resource you're trying to access doesn't exist—the resource ID is wrong, it was deleted, or it's in a different region/account. This client-side error (4xx) is common across DynamoDB, Lambda, EC2, and other AWS services. Most common when resource IDs have typos, but also appears when resources were deleted, resources are in different regions, resources belong to different accounts, or IAM policies don't grant List permissions to see the resource.
Invalid Parameter
Hitting an **InvalidParameter** error means one of your API parameters has the wrong name, type, or value—parameter names must match AWS API exactly, types must be correct (string vs number), and values must be valid. This client-side error (4xx) happens when AWS validates request parameters. Most common when parameter names are misspelled, but also appears when parameter types are wrong, required parameters are missing, parameter values are invalid, or unsupported parameter combinations are used.
Limit Exceeded
Hitting a **LimitExceededException** means your request would exceed AWS Service Quotas—you've reached the maximum number of resources, operations, or concurrent actions allowed for your account. This client-side error (4xx) happens when AWS enforces account-level or service-level limits. Most common when creating too many EC2 instances, DynamoDB tables, or IAM roles, but also appears when Service Quotas (formerly soft limits) are exceeded, concurrent operation limits are hit, or account-level resource caps are reached.
Insufficient Capacity
Getting an **InsufficientCapacityException** means AWS doesn't have enough physical capacity in the requested Availability Zone to launch your EC2 instance—the specific instance type or zone is temporarily out of capacity. This client-side error (4xx) happens when AWS can't allocate hardware resources. Most common when launching EC2 instances in popular zones, but also appears when specific instance types are unavailable, regions have capacity constraints, Spot instances have no capacity, or temporary capacity issues occur.
Invalid User ID Not Found
Getting an **InvalidUserID.NotFound** error means the IAM User ID you're referencing doesn't exist in your AWS account—the user might have been deleted, the ID is misspelled, or it belongs to a different account. This client-side error (4xx) happens when AWS can't find the user by ID. Most common when IAM users are deleted, but also appears when user IDs are misspelled, users are in different accounts, user ID format is invalid, or IAM policies reference non-existent users.
Malformed Query String
Hitting a **MalformedQueryString** error means your AWS API request has invalid query string syntax—special characters aren't URL-encoded, parameters are duplicated, or the query format violates AWS API requirements. This client-side error (4xx) happens when AWS parses query parameters. Most common when building S3 presigned URLs or API Gateway requests manually, but also appears when query parameters have unencoded special characters, duplicate parameter names exist, or query string syntax is invalid.
Request Expired
Getting a **RequestExpired** error means your S3 presigned URL or AWS request has passed its expiration time—presigned URLs typically expire after 1 hour (default) or the time you specified, and AWS requests expire if the timestamp is more than 15 minutes old. This client-side error (4xx) happens when AWS validates request timestamps. Most common when S3 presigned URLs expire, but also appears when system clocks are skewed, request timestamps are too old, or expiration times are set too short.
Service Unavailable
Hitting a **ServiceUnavailable** error means the AWS service is temporarily down or overloaded—this is a server-side issue (5xx) that usually resolves with retries. This server-side error happens when AWS services are experiencing outages, maintenance, or capacity issues. Most common during AWS service outages, but also appears when services are in maintenance mode, regions are experiencing issues, services are overloaded, or temporary capacity constraints occur.
Validation Exception
Getting a **ValidationException** means your input data failed AWS service validation—DynamoDB items violate schema constraints, Lambda function code has errors, or IAM policy documents have syntax issues. This client-side error (4xx) happens when AWS validates request data before processing. Most common when DynamoDB item attributes don't match table schema, but also appears when Lambda function code is invalid, IAM policy JSON is malformed, or input values violate service constraints.
Bucket Already Owned By You
Getting a **BucketAlreadyOwnedByYou** error means the S3 bucket name you're trying to create already exists in your AWS account—you own this bucket, so you can't create another with the same name. This client-side error (4xx) happens when AWS checks bucket name uniqueness within your account. Most common when bucket names are reused, but also appears when buckets weren't fully deleted, bucket deletion is still in progress (90-day grace period), or you're trying to recreate a bucket you already own.
Invalid Bucket Name
Hitting an **InvalidBucketName** error means your S3 bucket name violates AWS naming rules—bucket names must be 3-63 characters, lowercase, alphanumeric with hyphens, and globally unique. This client-side error (4xx) happens when AWS validates bucket name format. Most common when bucket names have uppercase letters or invalid characters, but also appears when names are too short/long, names look like IP addresses, names have consecutive dots, or reserved names are used.
No Such Entity
Getting a **NoSuchEntity** error means the IAM entity (user, role, policy, or group) you're referencing doesn't exist in your AWS account—the entity might have been deleted, the name is misspelled, or it belongs to a different account. This client-side error (4xx) is common in IAM operations. Most common when IAM users or roles are deleted, but also appears when entity names are misspelled, entities are in different accounts, entity IDs are wrong, or IAM policies reference non-existent entities.
Invalid Client Token ID
Getting an **InvalidClientTokenId** error means your AWS security token (Access Key ID) is invalid or doesn't exist—the token might have been deleted, rotated, or belongs to a different AWS account. This client-side error (4xx) happens when AWS validates request tokens. Most common when IAM access keys are deleted or rotated, but also appears when credentials are misconfigured, tokens are expired, credentials files are corrupted, or you're using credentials from the wrong AWS account.
Missing Parameter
Hitting a **MissingParameter** error means your AWS API request is missing a required parameter—AWS usually specifies which parameter is missing in the error message. This client-side error (4xx) happens when AWS validates request parameters. Most common when EC2 run-instances is missing ImageId or InstanceType, but also appears when parameter names are misspelled, nested parameters are missing, conditional parameters are required but not provided, or parameters are in the wrong location in the request.
Service Quota Exceeded
Hitting a **ServiceQuotaExceededException** means your request would exceed an AWS Service Quota (formerly soft limits)—you've reached the maximum allowed for a specific service quota like EC2 instances, DynamoDB tables, or IAM roles. This client-side error (4xx) happens when AWS enforces service quotas. Most common when creating too many EC2 instances or DynamoDB tables, but also appears when regional quotas are exceeded, account-level quotas are hit, or quotas haven't been increased from defaults.
Service Unavailable
Getting an **Unavailable** error means the AWS service is temporarily down or overloaded—this is a server-side issue (5xx) that usually resolves with retries. This server-side error happens when AWS services are experiencing outages, maintenance, or capacity issues. Most common during AWS service outages, but also appears when services are in maintenance mode, regions are experiencing issues, services are overloaded, or temporary capacity constraints occur.
Invalid Action
Hitting an **InvalidAction** error means the AWS API action you're trying to call doesn't exist or isn't supported by that service—the action name might be misspelled, it's not available for that service, or there's an API version mismatch. This client-side error (4xx) happens when AWS validates action names. Most common when action names are misspelled, but also appears when actions aren't supported by the service, actions are called on wrong services, API versions don't match, or service endpoints are incorrect.
Invalid Request
Getting an **InvalidRequest** error means your AWS API request has invalid structure or format—the request might be malformed, missing required elements, or have syntax errors. This client-side error (4xx) happens when AWS validates request structure. Most common when JSON request bodies are malformed, but also appears when request structure is invalid, required elements are missing, request format doesn't match API requirements, or request validation fails.
Opt In Required
Getting an **OptInRequired** error means you need to opt in to an AWS service or feature before using it—some AWS services require explicit opt-in, especially new regions, Local Zones, Wavelength Zones, or certain features. This client-side error (4xx) happens when AWS requires explicit acceptance. Most common when using new AWS regions, but also appears when Local Zones require opt-in, Wavelength Zones need activation, certain features require acceptance, or service agreements haven't been completed.
Account Problem
Getting an **AccountProblem** error means there's an issue with your AWS account that's blocking operations—your account might be suspended, payment method declined, or verification incomplete. This client-side error (4xx) happens when AWS validates account status. Most common when payment methods are declined, but also appears when accounts are suspended, account verification is incomplete, billing problems prevent operations, or account service limits are reached.
Ambiguous Grant By Email Address
Getting an **AmbiguousGrantByEmailAddress** error means the email address you're using in an IAM policy grant is associated with multiple AWS accounts—AWS can't determine which account you mean, so you must specify the account ID explicitly. This client-side error (4xx) happens when AWS evaluates IAM policy grants. Most common when S3 bucket policies grant access by email, but also appears when IAM policies reference users by email across multiple accounts, cross-account grants use email addresses, or account identifiers are missing from grants.
Bad Digest
Getting a **BadDigest** error means the Content-MD5 hash you sent doesn't match what AWS calculated from the uploaded data—the file was corrupted during transmission, the MD5 hash was calculated incorrectly, or the file was modified after hashing. This client-side error (4xx) happens when AWS validates data integrity using MD5 checksums. Most common when uploading S3 objects with Content-MD5 headers, but also appears when data corruption occurs during upload, MD5 hashes are calculated incorrectly, network transmission errors corrupt data, or files are modified after hashing.
Credentials Not Supported
Getting a **CredentialsNotSupported** error means the AWS service doesn't accept the credential type you're using—some operations require specific authentication methods like IAM roles, while others accept access keys. This client-side error (4xx) happens when AWS validates credential types. Most common when using access keys for operations that require IAM roles, but also appears when credential formats are incorrect, services have specific authentication requirements, authentication methods don't match service expectations, or temporary credentials aren't supported for the operation.
Cross Location Logging Prohibited
Hitting a **CrossLocationLoggingProhibited** error means you're trying to configure S3 bucket logging where the source bucket and logging bucket are in different AWS regions—S3 requires both buckets to be in the same region for logging. This client-side error (4xx) happens when AWS validates S3 logging configuration. Most common when source and logging buckets are in different regions, but also appears when cross-region logging is attempted, geographic location mismatch occurs, or logging configuration violates S3 region rules.
Entity Too Large
Hitting an **EntityTooLarge** error means your S3 upload exceeds the 5TB maximum object size limit—S3 allows single objects up to 5TB, but for files larger than 5GB, you should use multipart upload. This client-side error (4xx) happens when AWS validates upload size. Most common when uploading very large files as single objects, but also appears when object size exceeds 5TB limit, files are too large for single upload, or upload size violates S3 limits.
Entity Too Small
Getting an **EntityTooSmall** error means a multipart upload part is smaller than the 5MB minimum—S3 requires each part (except the last) to be at least 5MB. This client-side error (4xx) happens when AWS validates multipart upload part sizes. Most common when multipart chunk size is set too small, but also appears when part sizes are less than 5MB (except last part), minimum part size is violated, or incorrect multipart chunk size is configured.
Expired Token
Getting an **ExpiredToken** error means your temporary AWS credentials (session token) have expired—temporary credentials from STS, IAM roles, or assume role operations expire after a set time period (typically 1 hour, max 12 hours). This client-side error (4xx) happens when AWS validates credential expiration. Most common when temporary credentials expire after 1 hour, but also appears when session tokens expire, STS token expiration time passes, IAM role sessions expire, or token expiration time is reached.
Illegal Versioning Configuration
Hitting an **IllegalVersioningConfigurationException** means your S3 bucket versioning configuration is invalid—the versioning settings might conflict, MFA delete configuration is incorrect, or versioning state transition is invalid. This client-side error (4xx) happens when AWS validates S3 versioning configuration. Most common when MFA delete configuration is incorrect, but also appears when versioning configuration parameters are invalid, conflicting versioning settings exist, versioning state conflicts occur, or invalid versioning transitions are attempted.
Incomplete Body
Getting an **IncompleteBody** error means the Content-Length HTTP header doesn't match the actual request body size—the body is incomplete, truncated, or the header value is wrong. This client-side error (4xx) happens when AWS validates request body completeness. Most common when Content-Length header is incorrect, but also appears when request body is incomplete or truncated, network interruptions occur during upload, body size mismatches the header, or uploads terminate early.
Incorrect Number of Files in POST Request
Hitting an **IncorrectNumberOfFilesInPostRequest** error means your POST request has zero files or more than one file—S3 presigned POST requires exactly one file per request. This client-side error (4xx) happens when AWS validates POST request file count. Most common when no file is provided, but also appears when multiple files are included in a single POST, file field is missing from form data, form data structure is incorrect, or POST request format is invalid.
Inline Data Too Large
Getting an **InlineDataTooLarge** error means you're trying to embed file data directly in the request body, but it exceeds the inline data size limit—for large files, you should use multipart upload or presigned URLs instead of inline embedding. This client-side error (4xx) happens when AWS validates inline data size. Most common when large files are embedded in request bodies, but also appears when inline data exceeds size limits, request body is too large for inline upload, or large files are included directly in requests.
Internal Error
Getting an **InternalError** means AWS encountered an internal service error—this is a server-side issue (5xx) that's usually temporary and resolves with retries. This server-side error happens when AWS services experience internal failures. Most common during temporary service issues, but also appears when backend processing errors occur, services are temporarily unavailable, internal system failures happen, or AWS infrastructure experiences problems.
Invalid Addressing Header
Getting an **InvalidAddressingHeader** error means the HTTP addressing headers in your AWS API request are invalid or malformed—headers like Host, X-Amz-Date, or X-Amz-Target don't match AWS requirements. This client-side error (4xx) happens when AWS validates request headers. Most common when making direct HTTP requests to AWS APIs, but also appears when addressing header format is invalid, required headers are missing, header values are incorrect or malformed, or headers don't match service requirements.
Invalid Argument
Hitting an **InvalidArgument** error means one or more parameters in your AWS API request have invalid values, types, or formats—the argument might be out of range, wrong type, or unsupported. This client-side error (4xx) happens when AWS validates request parameters. Most common when parameter values are invalid, but also appears when parameter types don't match requirements, arguments are out of valid range, parameter formats are incorrect, or unsupported argument values are used.
S3 Invalid Object State
Hitting an **S3InvalidObjectState** error means you're trying to access an S3 object that's archived in Glacier or Deep Archive storage class without restoring it first—archived objects must be restored before they can be accessed. This client-side error (4xx) happens when AWS validates object accessibility. Most common when accessing Glacier objects without restore, but also appears when objects are in Deep Archive, restoration hasn't completed, objects are archived and not restored, or accessing archived objects directly.
Lambda Invalid Parameter Value
Getting a **LambdaInvalidParameterValueException** means one or more Lambda function parameters have invalid values—function name format, runtime, memory size, timeout, or environment variables don't meet Lambda requirements. This client-side error (4xx) happens when AWS validates Lambda parameters. Most common when memory size is invalid, but also appears when function name format is wrong, runtime specification is invalid, timeout is out of range, or environment variable format is incorrect.
DynamoDB Provisioned Throughput Exceeded
Getting a **DynamoDBProvisionedThroughputExceededException** means your DynamoDB table's provisioned throughput capacity is exceeded—your request rate is higher than the read or write capacity units allocated to the table. This client-side error (4xx) happens when AWS throttles requests due to capacity limits. Most common when read/write capacity is exceeded, but also appears when hot partitions cause throttling, provisioned capacity is insufficient, sudden traffic spikes occur, or load isn't distributed across partition keys.
S3 Bucket Already Owned By You
Hitting an **S3BucketAlreadyOwnedByYou** error means the S3 bucket name you're trying to create already exists in your AWS account—S3 bucket names must be globally unique across all AWS accounts, so if you own a bucket with that name, you can't create another. This client-side error (4xx) happens when AWS validates bucket name uniqueness. Most common when bucket name already exists in your account, but also appears when attempting to create a duplicate bucket, bucket name collision occurs, previous bucket creation succeeded, or bucket exists in a different region.
Lambda Resource Not Found
Getting a **LambdaResourceNotFoundException** means the Lambda function, layer, or event source mapping you're referencing doesn't exist—the resource might have been deleted, the name is misspelled, or it's in a different region. This client-side error (4xx) happens when AWS validates Lambda resource existence. Most common when function names are misspelled, but also appears when functions are deleted, incorrect regions are specified, functions don't exist, or layers/event sources are not found.
DynamoDB Resource Not Found
Getting a **DynamoDBResourceNotFoundException** means the DynamoDB table, index, or stream you're referencing doesn't exist—the resource might have been deleted, the name is misspelled, or it's in a different region. This client-side error (4xx) happens when AWS validates DynamoDB resource existence. Most common when table names are misspelled, but also appears when tables don't exist, tables are deleted, incorrect regions are specified, or indexes/streams are not found.
S3 Invalid Bucket Name
Hitting an **S3InvalidBucketName** error means your S3 bucket name doesn't follow AWS naming rules—bucket names must be 3-63 characters, lowercase, alphanumeric with hyphens/periods, and globally unique. This client-side error (4xx) happens when AWS validates bucket name format. Most common when bucket names are too short/long, but also appears when invalid characters are used, names start/end with period or hyphen, uppercase letters are included, or consecutive periods exist.
Lambda Service Exception
Getting a **LambdaServiceException** means AWS Lambda encountered an internal service error—this is a server-side issue (5xx) that's usually temporary and resolves with retries. This server-side error happens when Lambda services experience internal failures. Most common during temporary service issues, but also appears when services are temporarily unavailable, Lambda is overloaded, regional service issues occur, or transient infrastructure problems happen.
DynamoDB Conditional Check Failed
Getting a **DynamoDBConditionalCheckFailedException** means your conditional write operation (PutItem, UpdateItem, DeleteItem) failed because the condition expression evaluated to false—the item doesn't match your expected state, doesn't exist when expected, or was modified by another operation. This client-side error (4xx) happens when AWS validates conditional expressions. Most common when item attribute values don't match expectations, but also appears when items don't exist when expected, version checks fail, optimistic locking conflicts occur, or condition expressions are incorrect.
S3 Invalid Access Key ID
Hitting an **S3InvalidAccessKeyId** error means your AWS access key ID doesn't exist or is invalid—the access key might have been deleted, rotated, or belongs to a different AWS account. This client-side error (4xx) happens when AWS validates S3 request credentials. Most common when access keys are deleted or rotated, but also appears when access key IDs are incorrect, credentials files are misconfigured, wrong AWS account credentials are used, or old keys are still in use after rotation.
Lambda Invalid Request Content
Getting a **LambdaInvalidRequestContentException** means your Lambda function invocation payload is invalid—the JSON is malformed, exceeds the 6MB limit, or has encoding issues. This client-side error (4xx) happens when AWS validates Lambda invocation payloads. Most common when JSON format is invalid, but also appears when request payloads exceed 6MB limit, JSON structure is malformed, encoding issues occur, or unsupported content types are used.
DynamoDB Item Collection Size Limit Exceeded
Hitting a **DynamoDBItemCollectionSizeLimitExceededException** means a single item collection (all items sharing the same partition key) exceeds the 10GB limit—this typically happens with Local Secondary Indexes (LSI) or Global Secondary Indexes (GSI) when too many items share the same partition key. This client-side error (4xx) happens when AWS enforces DynamoDB collection size limits. Most common when hot partitions have excessive data, but also appears when LSI/GSI exceeds 10GB, too many items share the same partition key, or index size limits are reached.
S3 No Such Bucket
Getting an **S3NoSuchBucket** error means the S3 bucket you're trying to access doesn't exist—the bucket might have been deleted, the name is misspelled, or it's in a different region or AWS account. This client-side error (4xx) happens when AWS validates bucket existence. Most common when bucket names are misspelled, but also appears when buckets don't exist, buckets are deleted, incorrect regions are specified, or buckets are in different AWS accounts.
Lambda EC2 Access Denied
Getting a **LambdaEC2AccessDeniedException** means your Lambda function can't access VPC or EC2 resources—the Lambda execution role lacks EC2 permissions to create/manage network interfaces, or security groups/NACLs are blocking access. This client-side error (4xx) happens when AWS validates Lambda VPC permissions. Most common when Lambda execution role lacks EC2 permissions, but also appears when security group rules are too restrictive, network ACLs block access, route tables are misconfigured, or ENI creation fails.
DynamoDB Transaction Conflict
Getting a **DynamoDBTransactionConflictException** means your DynamoDB transaction conflicted with another concurrent transaction on the same items—DynamoDB transactions are atomic and cannot be modified while in progress. This client-side error (4xx) happens when AWS detects transaction conflicts. Most common when concurrent transactions operate on the same items, but also appears when transactions are already in progress, optimistic locking fails, or transaction timeouts occur.
Lambda ENI Limit Reached
Hitting a **LambdaENILimitReachedException** means your AWS account has reached the maximum number of Elastic Network Interfaces (ENIs) that can be created in the region—this happens when too many Lambda functions are configured to use VPCs, and each concurrent execution creates an ENI. This client-side error (4xx) happens when AWS enforces ENI limits. Most common when too many Lambda functions use VPCs, but also appears when concurrent executions create too many ENIs, ENIs aren't cleaned up properly, or account-level ENI limits are reached.
DynamoDB Validation Exception
Getting a **DynamoDBValidationException** means your DynamoDB request input doesn't satisfy DynamoDB constraints—attribute names, types, or expression syntax are invalid. This client-side error (4xx) happens when AWS validates DynamoDB request parameters. Most common when invalid attribute names are used in expressions, but also appears when expression syntax is invalid, attribute types don't match schema, reserved words are used as attribute names, or key schemas are invalid.
S3 Invalid Storage Class
Hitting an **S3InvalidStorageClass** error means the S3 storage class you specified is invalid or not supported for the operation—the storage class name might be misspelled, not available in your region, or not supported for the specific operation. This client-side error (4xx) happens when AWS validates S3 storage class names. Most common when storage class names are misspelled, but also appears when storage classes aren't supported in the region, storage class transitions aren't allowed, or unsupported storage classes are used for operations.
Lambda Subnet IP Address Limit Reached
Hitting a **LambdaSubnetIPAddressLimitReachedException** means your Lambda functions have exhausted the available IP addresses in the VPC subnet—each concurrent Lambda execution in a VPC requires an IP address, and the subnet's CIDR block doesn't have enough available. This client-side error (4xx) happens when AWS enforces subnet IP address limits. Most common when subnet CIDR blocks are too small, but also appears when too many concurrent Lambda executions occur, IP addresses aren't released properly, subnets are near capacity, or multiple Lambda functions share the same subnet.
DynamoDB Limit Exceeded
Getting a **DynamoDBLimitExceededException** means you've exceeded DynamoDB's account-level or operation-level limits—the number of concurrent table requests, tables per account, indexes per table, or concurrent modifications has reached the maximum allowed. This client-side error (4xx) happens when AWS enforces DynamoDB limits. Most common when too many concurrent table operations occur, but also appears when table limits per account are exceeded, index limits per table are reached, concurrent modification limits are hit, or account-level limits are exceeded.
EC2 Instance Limit Exceeded
Hitting an **EC2InstanceLimitExceeded** error means you've reached the maximum number of EC2 instances you can launch in the specified region—this limit applies to the total number of running instances across all instance types. This client-side error (4xx) happens when AWS enforces EC2 instance limits. Most common when account-level instance limits are reached, but also appears when region-specific limits are exceeded, too many instances are running, instance type limits are hit, or VPC instance limits are reached.
EC2 Insufficient Instance Capacity
Getting an **EC2InsufficientInstanceCapacity** error means AWS doesn't have enough available capacity in the Availability Zone you requested to fulfill your instance launch—this is a temporary capacity issue, not a quota limit. This server-side error (5xx) happens when AWS validates instance capacity availability. Most common when Availability Zone capacity is exhausted, but also appears when requested instance types are unavailable, high demand occurs in the region, Spot instance capacity is insufficient, or dedicated host capacity is unavailable.
EC2 Invalid AMI ID Not Found
Getting an **EC2InvalidAMIIDNotFound** error means the AMI (Amazon Machine Image) ID you specified doesn't exist or isn't available in the current region—the AMI might have been deregistered, is in a different region, or isn't shared with your account. This client-side error (4xx) happens when AWS validates AMI existence. Most common when AMI IDs are incorrect, but also appears when AMIs are in different regions, AMIs have been deregistered, AMI ID formats are incorrect, or AMIs aren't shared with your account.
EC2 Invalid Instance ID Not Found
Getting an **EC2InvalidInstanceIDNotFound** error means the EC2 instance ID you specified doesn't exist or has been terminated—the instance might be in a different region, was deleted, or the ID is misspelled. This client-side error (4xx) happens when AWS validates EC2 instance existence. Most common when instance IDs are incorrect, but also appears when instances have been terminated, instances are in different regions, instance ID formats are incorrect, or instance ID typos occur.
EC2 Unsupported Operation
Getting an **EC2UnsupportedOperation** error means the EC2 operation you're trying to perform isn't supported for the specified resource or instance type—the operation might not be available for the current instance configuration, instance state, or instance type. This client-side error (4xx) happens when AWS validates operation compatibility. Most common when operations aren't supported for instance types, but also appears when instance states don't allow operations, features aren't available for instances, instance configurations are incompatible, or operations require different instance types.
IAM Entity Already Exists
Hitting an **IAMEntityAlreadyExists** error means the IAM entity (user, group, role, or policy) you're trying to create already exists in your AWS account—IAM entity names must be unique within your account, so you can't create duplicates. This client-side error (4xx) happens when AWS validates IAM entity name uniqueness. Most common when user names already exist, but also appears when role names, group names, or policy names already exist, or duplicate entity creation attempts occur.
IAM Invalid User ID Not Found
Getting an **IAMInvalidUserIDNotFound** error means the IAM user you specified doesn't exist—the user might have been deleted, the name is misspelled, or it's in a different AWS account. This client-side error (4xx) happens when AWS validates IAM user existence. Most common when user names are misspelled, but also appears when users don't exist, users have been deleted, incorrect user name formats are used, or users are in different AWS accounts.
IAM Malformed Policy Document
Getting an **IAMMalformedPolicyDocument** error means your IAM policy document is malformed or invalid—the JSON syntax might be wrong, required policy elements are missing, or the policy statement structure doesn't follow IAM policy language syntax. This client-side error (4xx) happens when AWS validates IAM policy documents. Most common when JSON syntax is invalid, but also appears when required policy elements are missing, policy statement structures are invalid, action or resource values are malformed, or policy document encoding issues occur.
IAM Policy Not Attachable
Hitting an **IAMPolicyNotAttachable** error means the IAM policy you're trying to attach cannot be attached to the entity—some AWS managed policies aren't attachable, or the policy type is incompatible with the entity type (user, role, or group). This client-side error (4xx) happens when AWS validates policy attachment compatibility. Most common when AWS managed policies aren't attachable, but also appears when policy types are incompatible with entities, policy attachment restrictions exist, service-linked policy limitations occur, or policies aren't designed for attachment.
IAM Limit Exceeded
Hitting an **IAMLimitExceeded** error means you've exceeded the maximum number of IAM entities allowed in your AWS account—IAM enforces limits on users (5000), groups (300), roles (5000), and customer managed policies (1500) per account. This client-side error (4xx) happens when AWS validates IAM entity limits. Most common when too many IAM users exist, but also appears when too many groups, roles, or policies are created, or account-level IAM limits are reached.
CloudFront Invalid Argument
Getting a **CloudFrontInvalidArgument** error means one or more arguments in your CloudFront request are invalid—required parameters might be missing, values don't meet CloudFront requirements, or the distribution configuration is malformed. This client-side error (4xx) happens when AWS validates CloudFront request parameters. Most common when distribution configurations are invalid, but also appears when origin settings are wrong, cache behavior settings are invalid, certificate ARNs are malformed, or parameter formats are incorrect.
CloudFront Distribution Already Exists
Getting a **CloudFrontDistributionAlreadyExists** error means a CloudFront distribution with the specified caller reference already exists—each distribution must have a unique caller reference, so you can't reuse the same reference. This client-side error (4xx) happens when AWS validates caller reference uniqueness. Most common when duplicate caller references are used, but also appears when distributions were already created, previous creation succeeded, caller reference collisions occur, or distributions exist with the same reference.
CloudFront No Such Distribution
Getting a **CloudFrontNoSuchDistribution** error means the CloudFront distribution ID you specified doesn't exist—the distribution might have been deleted, the ID is misspelled, or it's in a different AWS account. This client-side error (4xx) happens when AWS validates CloudFront distribution existence. Most common when distribution IDs are incorrect, but also appears when distributions have been deleted, incorrect distribution ID formats are used, distribution ID typos occur, or distributions are in different accounts.
CloudFront Invalid Origin
Getting a **CloudFrontInvalidOrigin** error means your CloudFront origin configuration is invalid—the origin domain name, protocol, or port configuration doesn't meet CloudFront requirements, or the origin isn't accessible. This client-side error (4xx) happens when AWS validates CloudFront origin configurations. Most common when origin domain names are invalid, but also appears when origin protocols are wrong, port configurations are invalid, origin domains don't resolve, or SSL certificate issues occur.
CloudFront Too Many Distributions
Hitting a **CloudFrontTooManyDistributions** error means you've reached the maximum number of CloudFront distributions allowed in your AWS account—the default limit is 200 distributions per account, and you can't create more until you delete some or request a limit increase. This client-side error (4xx) happens when AWS enforces CloudFront distribution limits. Most common when account distribution limits are reached, but also appears when too many active distributions exist, distribution limits are exceeded, account-level limits are reached, or maximum distributions are created.
EC2 Invalid Parameter Combination
Getting an **EC2InvalidParameterCombination** error means the EC2 parameters you specified cannot be used together—some parameters are mutually exclusive, require specific combinations, or conflict with each other. This client-side error (4xx) happens when AWS validates EC2 parameter compatibility. Most common when mutually exclusive parameters are used together, but also appears when parameter combinations aren't supported, instance types are incompatible with parameters, network settings conflict, or storage configurations are invalid.
EC2 Invalid Snapshot Not Found
Getting an **EC2InvalidSnapshotNotFound** error means the EBS snapshot ID you specified doesn't exist or isn't available—the snapshot might have been deleted, is in a different region, or isn't shared with your account. This client-side error (4xx) happens when AWS validates EBS snapshot existence. Most common when snapshot IDs are incorrect, but also appears when snapshots have been deleted, snapshots are in different regions, incorrect snapshot ID formats are used, or snapshots aren't shared with your account.
EC2 Volume In Use
Getting an **EC2VolumeInUse** error means the EBS volume you're trying to delete or modify is currently attached to an EC2 instance—volumes must be detached before deletion or certain modifications. This client-side error (4xx) happens when AWS validates EBS volume attachment status. Most common when volumes are attached to running instances, but also appears when volumes are attached to stopped instances, volume deletion is attempted while attached, volume modification occurs while attached, or volumes are in use by another operation.
IAM Delete Conflict
Hitting an **IAMDeleteConflict** error means the IAM entity (user, role, or policy) you're trying to delete is still in use—it has attached policies, group memberships, access keys, or other dependencies that must be removed first. This client-side error (4xx) happens when AWS validates IAM entity dependencies before deletion. Most common when users have attached policies, but also appears when users are members of groups, users have access keys, roles have attached policies, or policies are attached to entities.
IAM Password Policy Violation
Getting an **IAMPasswordPolicyViolation** error means the password you're trying to set doesn't meet your AWS account's password policy requirements—the password might be too short, missing required character types, or violate complexity or history rules. This client-side error (4xx) happens when AWS validates passwords against the account password policy. Most common when passwords are too short, but also appears when required characters are missing, complexity requirements aren't met, passwords are in history (reuse prevention), or password policy rules are violated.
CloudFront Invalid Viewer Certificate
Getting a **CloudFrontInvalidViewerCertificate** error means the SSL/TLS certificate you specified for CloudFront is invalid or not properly configured—CloudFront requires certificates to be in the us-east-1 region, valid and not expired, and issued by ACM. This client-side error (4xx) happens when AWS validates CloudFront certificate configuration. Most common when certificates aren't in us-east-1 region, but also appears when certificates are expired or invalid, certificate ARNs are incorrect, certificates aren't issued by ACM, or certificate domains don't match the distribution.
CloudFront Distribution Not Disabled
Getting a **CloudFrontDistributionNotDisabled** error means you're trying to delete a CloudFront distribution that's still enabled—CloudFront requires distributions to be disabled and fully deployed before deletion. This client-side error (4xx) happens when AWS validates distribution state before deletion. Most common when distributions are still enabled, but also appears when deletion is attempted while enabled, distributions aren't fully disabled, deployment is still in progress, or distribution state isn't ready for deletion.
EC2 Invalid Key Pair Not Found
Getting an **EC2InvalidKeyPairNotFound** error means the EC2 key pair you specified doesn't exist in the current region—the key pair might be in a different region, was deleted, or the name is misspelled. This client-side error (4xx) happens when AWS validates EC2 key pair existence. Most common when key pair names don't exist, but also appears when key pairs are in different regions, key pairs have been deleted, incorrect key pair name formats are used, or key pair name typos occur.
EC2 Invalid Security Group Not Found
Getting an **EC2InvalidSecurityGroupNotFound** error means the EC2 security group you specified doesn't exist—the security group might be in a different VPC or region, was deleted, or the ID/name is misspelled. This client-side error (4xx) happens when AWS validates EC2 security group existence. Most common when security group IDs don't exist, but also appears when security group names don't exist, security groups are in different VPCs, security groups are in different regions, or security groups have been deleted.
IAM Unmodifiable Entity
Getting an **IAMUnmodifiableEntity** error means the IAM entity (user, role, or policy) you're trying to modify cannot be modified—AWS managed entities have restrictions on modifications, and you must create customer managed alternatives. This client-side error (4xx) happens when AWS validates IAM entity modification permissions. Most common when AWS managed policies cannot be modified, but also appears when service-linked roles have restrictions, AWS managed users have limitations, entities have modification restrictions, or entities are read-only.
CloudFront CNAME Already Exists
Getting a **CloudFrontCNAMEAlreadyExists** error means the CNAME (alternate domain name) you're trying to use is already in use by another CloudFront distribution—each CNAME must be unique across all distributions, so you can't reuse the same domain name. This client-side error (4xx) happens when AWS validates CNAME uniqueness. Most common when CNAMEs are already used by other distributions, but also appears when domain names are already configured, duplicate CNAME assignments occur, previous distributions are using the CNAME, or CNAME conflicts exist with existing distributions.
EC2 Invalid Subnet ID Not Found
Getting an **EC2InvalidSubnetIDNotFound** error means the EC2 subnet ID you specified doesn't exist—the subnet might be in a different VPC or region, was deleted, or the ID is misspelled. This client-side error (4xx) happens when AWS validates EC2 subnet existence. Most common when subnet IDs don't exist, but also appears when subnets are in different VPCs, subnets are in different regions, subnets have been deleted, or incorrect subnet ID formats are used.
IAM Concurrent Modification
Getting an **IAMConcurrentModification** error means multiple requests to modify the same IAM entity are being processed simultaneously, causing a conflict—you need to wait for the current operation to complete before retrying. This client-side error (4xx) happens when AWS detects concurrent modification attempts. Most common when simultaneous policy updates occur, but also appears when concurrent role modifications happen, multiple users update the same entity, race conditions occur in updates, or overlapping modification requests are made.
Authentication Failed: OAuth Token Validation Failure
Your OAuth token failed ARM's validation checks—either expired, cryptographically invalid, or issued for the wrong tenant/audience. This is a client-side 401 error, meaning your credentials couldn't authenticate. ARM validates tokens against Azure AD (Entra ID) before allowing any resource operations on VMs, AKS clusters, Azure SQL databases, or App Services. The token's signature, expiration (exp claim), or audience (aud claim) didn't pass validation.
Authorization Failed: RBAC Permission Denied
You're authenticated, but your RBAC roles don't grant the required permission at the operation's scope. This 403 client-side error means ARM blocked the operation after authentication passed—your identity lacks the necessary role actions. ARM evaluates permissions hierarchically (subscription → resource group → resource), so a role at resource group scope won't help with subscription-level operations. Deny assignments at parent scopes always override allow assignments below them. Common across VM management, AKS clusters, Azure SQL databases, and App Service deployments.
Resource Not Found: ARM Resource URI Invalid
ARM couldn't locate the resource at your specified path—the resource ID might be invalid, the resource was deleted, or you're hitting the wrong subscription. This 404 client-side error indicates the resource provider couldn't resolve your request. ARM checks the resource ID format first, then queries the provider. Resources like Key Vaults and Storage accounts can be soft-deleted, existing in a "Deleted" state during retention but inaccessible via standard GET operations. Applies to VMs, AKS clusters, Azure SQL databases, and App Service web apps.
Invalid Authentication Info: Header Format Error
Your Authorization header violates the OAuth 2.0 Bearer format—ARM can't parse it before even validating the token. This 401 client-side error means the header structure is wrong: missing "Bearer " prefix, wrong case ("authorization" vs "Authorization"), or malformed JWT (must have 3 dot-separated segments: header.payload.signature). ARM validates header format before token content, so this fails earlier than AuthenticationFailed. Appears in VM operations, AKS API calls, Azure SQL connections, and App Service deployments when headers are manually constructed.
Subscription Not Found: Invalid GUID or Access Denied
ARM can't find the subscription—either the GUID format is wrong, the subscription was cancelled/deleted, or you lack Reader role (ARM returns 404 instead of 403 to avoid revealing subscription existence). This 404 client-side error means ARM validated the GUID format, then either couldn't locate it or determined you don't have access. Subscriptions enter "Cancelled" state due to payment failures or expired trials, then get permanently deleted after a grace period. Cross-tenant access requires explicit B2B configuration. Affects all operations: VMs, AKS clusters, Azure SQL, App Service.
Conflict Error: Resource State Constraint Violation
The operation conflicts with the resource's current state—either the provisioningState blocks it (like "Deleting" or "Failed"), or a uniqueness constraint is violated (name already exists). This 409 client-side error means ARM checked the resource state and constraints before allowing the operation. Resources in "Deleting" state block all operations while ARM processes the deletion in the background (timing varies by resource type). Globally unique resources like storage accounts require names unique across all Azure subscriptions. Common in VMs, AKS clusters, Azure SQL databases, and App Service deployments.
Invalid Request Content: Request Body Schema Violation
Your request body JSON doesn't match the resource schema for the API version you're using—properties might be missing, have wrong types, or violate enum constraints. This 400 client-side error occurs after ARM validates your JSON syntax but finds schema mismatches. Schema requirements vary by API version; what's optional in one version becomes required in another, or enum values change. ARM checks your request body against the resource type's schema definition. Affects VM creation, AKS cluster configuration, Azure SQL database setup, and App Service app settings.
Quota Exceeded: Resource Limit Reached
You've hit Azure's hard quota limit for this resource type—the operation would push you over the subscription or regional cap. This 403 client-side error means ARM checked your current usage against the limit and blocked the operation. Quota limits vary by subscription tier and resource type (regional quotas differ from subscription-wide quotas). Most common with VM vCPU limits, but also appears with AKS cluster/node quotas, Azure SQL database instance limits, and App Service plan quotas. ARM enforces these before resource creation.
Resource Group Not Found: Name Invalid or Deleted
ARM can't locate the resource group—the name format might be invalid (1-90 characters, alphanumeric plus underscore/parentheses/hyphen/period), the group was deleted, or you're hitting the wrong subscription. This 404 client-side error occurs after ARM validates the name format but can't find the group. Resource group names are case-insensitive in Azure CLI but case-sensitive in direct ARM API calls, so case mismatches can cause failures. Soft-deleted resource groups exist during retention but aren't accessible via standard GET operations. Applies to VM resource groups, AKS clusters, Azure SQL databases, and App Service deployments.
Storage Account Not Found: Name Invalid or Deleted
ARM can't find the storage account—the name format is wrong (3-24 lowercase alphanumeric, no hyphens), the account was soft-deleted, or you're querying the wrong resource group/subscription. This 404 client-side error happens after ARM validates the name format but the provider can't resolve it. Storage account names are globally unique across all Azure subscriptions and case-sensitive. Soft-deleted accounts exist during retention but aren't accessible via standard GET operations. Common when referencing storage for VM disk backups, AKS container registries, Azure SQL backups, or App Service application storage.
Too Many Requests: ARM API Rate Limit Exceeded
You're hitting ARM's rate limits—sending requests faster than the per-subscription limits allow for your authenticated principal. This 429 client-side error means ARM throttled your requests after exceeding the limit for this operation type (limits vary by operation and resource type, and aren't publicly documented). ARM tracks rate limits per subscription and principal, so concurrent requests from multiple processes can compound. The response includes a Retry-After header specifying the minimum wait time before retrying. Common during bulk VM operations, AKS cluster management, Azure SQL batch operations, and App Service deployments.
Container Not Found: Blob Container Does Not Exist
The blob container doesn't exist in the storage account—name format might be invalid (3-63 characters, lowercase alphanumeric plus hyphens, no consecutive hyphens), the container was deleted, or the case doesn't match (containers are case-sensitive, so "MyContainer" ≠ "mycontainer"). This 404 client-side error occurs after Storage validates the name format but can't locate the container. Unlike Key Vaults and Storage accounts, containers don't support soft-delete—when deleted, they're permanently gone with no recovery period. Appears when accessing containers for VM disk backups, AKS container images, Azure SQL backups, or App Service application files.
Blob Not Found: Blob Does Not Exist
The blob doesn't exist in the container—either the name/path is wrong, the case doesn't match (blobs are case-sensitive), or the blob was soft-deleted and still in retention. This 404 client-side error occurs after Storage validates the blob name format but can't find it in the container. Blob names support virtual directory paths using forward slashes (e.g., "folder/blob.txt" vs "folder/subfolder/blob.txt" are different), and paths must match exactly. Soft-deleted blobs exist during retention but aren't accessible via standard GET operations. Common when accessing blobs for VM disk backups, AKS container images, Azure SQL backups, or App Service application files.
Precondition Failed: Conditional Header Failed
Your conditional header condition failed—the If-Match ETag doesn't match the current resource ETag, If-None-Match: * failed because the resource exists, or If-Modified-Since timestamp is outdated. This 412 client-side error means ARM's optimistic concurrency control rejected the operation to prevent lost updates. ARM compares your conditional header value against the current resource state; mismatches indicate concurrent modifications happened between your read and write operations. ETags change immediately when resources are modified, so concurrent updates cause mismatches. Common in VM updates, AKS cluster modifications, Azure SQL database changes, and App Service configuration updates.
Invalid Resource Location: Region Not Available
The region/location value is wrong—format might be invalid (must be lowercase with no spaces like "eastus", not "East US"), the resource type isn't available there, or your subscription lacks access to a restricted region. This 400 client-side error occurs after ARM validates the location format but finds the provider doesn't support that resource type in that region, or you need approval for restricted regions (government clouds, some commercial regions). Resource availability varies by provider and region. Common in VM deployments, AKS cluster creation, Azure SQL database provisioning, and App Service deployments when using unsupported or restricted regions.
Operation Not Allowed: State or Policy Violation
Something's blocking the operation—a resource lock (CanNotDelete or ReadOnly), an invalid provisioning state ("Deleting" or "Failed"), or an Azure Policy with Deny effect. This 409/403 client-side error means ARM evaluated constraints and found a blocker. Locks override RBAC permissions, so even Contributor role can't delete resources with CanNotDelete locks. Provisioning states like "Deleting" or "Failed" block most operations until state transitions complete. Azure Policy Deny assignments at subscription/resource group scopes block operations regardless of RBAC. Common in VM management, AKS cluster operations, Azure SQL database changes, and App Service deployments.
Bad Request: Malformed Request
Your request format violates ARM's API contract—malformed JSON syntax, missing required headers (Content-Type: application/json or Authorization: Bearer), wrong parameter types, or invalid API version format (must match YYYY-MM-DD or YYYY-MM-DD-preview). This 400 client-side error occurs when ARM can't parse or validate the request structure. ARM checks JSON syntax first, then required headers, parameter types, and request body size limits. Unlike InvalidRequestContent (which means valid JSON but wrong schema), BadRequest indicates the request structure itself is broken. Appears in VM creation, AKS cluster configuration, Azure SQL database setup, and App Service app settings.
Forbidden: RBAC Authorization Denied
ARM denied the operation—your role assignments don't include the required action (e.g., Reader role only has read actions, so writes fail). This 403 client-side error means authentication succeeded but authorization failed. ARM evaluates permissions hierarchically (subscription → resource group → resource), so a role at resource group scope won't help with subscription-level operations. Deny assignments at parent scopes always override allow assignments at child scopes, even if you have the right role. Unlike AuthorizationFailed (which might have different nuances), Forbidden explicitly means your roles lack the required actions. Common in VM management, AKS cluster operations, Azure SQL database changes, and App Service deployments.
Not Found: API Endpoint or Provider Missing
The API endpoint, resource provider, or API version doesn't exist—unlike ResourceNotFound (missing resource), this indicates infrastructure-level issues. This 404 client-side error means the endpoint/provider/version itself isn't available. The resource provider might not be registered in your subscription (registrationState ≠ "Registered"), the API version doesn't exist for that resource type, or the endpoint path format is wrong. Provider registration is required before creating resources of that type. Common in VM deployments, AKS cluster API calls, Azure SQL database operations, and App Service deployments when using unregistered providers or unsupported API versions.
Validation Error: Business Rule Violation
Your request violates resource-specific business rules—the JSON structure is valid (unlike BadRequest), but values break constraints like uniqueness, dependency validation, or property compatibility rules. This 400 client-side error occurs after ARM validates schema and finds business rule violations. Examples include name uniqueness constraints (globally unique vs scoped), dependency resources missing or in invalid state, or incompatible property combinations (certain SKUs might not be allowed together). ARM validates constraints after schema validation passes. Common in VM creation, AKS cluster configuration, Azure SQL database setup, and App Service deployments.
Unauthorized: Missing or Invalid Authentication
Your request lacks authentication or uses an unsupported method—ARM requires OAuth 2.0 Bearer token authentication, and the Authorization header is missing or invalid. This 401 client-side error occurs before token validation; ARM checks for authentication presence first, so this fails earlier than AuthenticationFailed (which means invalid token). Unlike InvalidAuthenticationInfo (wrong header format), Unauthorized means authentication is missing entirely or uses unsupported schemes (ARM doesn't support basic auth or API keys). Common in VM operations, AKS cluster API calls, Azure SQL database connections, and App Service deployments when authentication isn't configured properly.
Invalid Resource: Schema or Structure Violation
The resource definition breaks ARM's structure requirements—required top-level properties (type, apiVersion, properties) might be missing, the resource type doesn't exist or isn't registered, or properties violate the schema for your API version. This 400 client-side error occurs when ARM validates the resource definition against the resource type's schema before processing operations. The resource type must be registered with its provider namespace first. Schema requirements vary by API version, so what's valid in one version might be invalid in another. Applies to VM definitions, AKS cluster configurations, Azure SQL database definitions, and App Service definitions.
Resource Modified: Concurrent Modification Detected
The resource changed between your read and write operations—your ETag is stale because another process modified it concurrently. This 409 client-side error means ARM's optimistic concurrency control rejected the update to prevent lost updates. ARM compares your request's ETag against the current resource ETag; mismatches indicate concurrent modifications. ETags update immediately when resources change, so parallel operations cause conflicts. This is transient—refreshing the ETag and retrying usually works. Common in VM updates, AKS cluster modifications, Azure SQL database changes, and App Service configuration updates when multiple processes modify resources simultaneously.
VM Provisioning State Failed: VM Creation or Configuration Error
VM provisioning failed before completion—Azure couldn't create, start, or configure the VM, leaving it in "Failed" provisioningState. This is a server-side error caused by issues like quota exhaustion, image deployment failures, network misconfiguration, or extension installation problems. The VM remains in Failed state and blocks most operations until you delete and recreate it. Common causes include insufficient compute quota (regional or subscription-level vCPU limits), unavailable VM images in the region, network security group rules blocking required traffic, or custom script extensions failing due to script errors or permission issues. Similar provisioning failures can occur in AKS node provisioning, Azure SQL database provisioning, and App Service plan provisioning.
VM Allocation Failed: Capacity Constraints
Azure couldn't allocate the VM resources—the selected region or availability zone doesn't have available capacity for your requested VM size. This is a server-side error caused by Azure's temporary capacity constraints (platform-enforced, not user-induced). Capacity varies by region, zone, and VM size, and changes over time due to demand or maintenance. Different zones within a region have independent capacity, so one zone might be full while another has space. Some VM sizes have limited availability. This is transient—retrying later, trying different zones, or using alternative VM sizes often succeeds. Similar allocation failures occur in AKS node allocation and App Service plan allocation.
VM Image Not Found: Image Unavailable or Invalid
The VM image doesn't exist or isn't available—the image URN format might be wrong (must be Publisher:Offer:SKU:Version), the image isn't published to your region, or shared image gallery images require explicit sharing permissions. This 404 client-side error occurs when ARM validates image availability before VM creation. Publisher/offer/SKU values are case-sensitive and must match exactly. Images may be region-specific or require explicit sharing from shared image galleries. The image might exist but not in your subscription or region. Similar image availability issues occur in AKS node images and App Service container images.
Storage Account Name Already Taken: Global Uniqueness Violation
Hitting StorageAccountNameAlreadyTaken means someone else already claimed that storage account name—names are globally unique across all Azure subscriptions, not just yours. ARM returns this 409 client-side error when name validation finds a collision before provisioning starts. The name might be in use by another subscription, reserved by a soft-deleted account during retention, or blocked by Azure for system use. While you'll see this most often creating storage for VM disk backups, it also pops up in AKS container registries, Azure SQL backup storage, and App Service application files. Names must be 3-24 lowercase alphanumeric characters.
Storage Account Quota Exceeded: Subscription Limit Reached
StorageAccountQuotaExceeded hits when you've maxed out storage accounts in your subscription per region—default is 250, but Pay-As-You-Go vs Enterprise Agreement subscriptions have different caps. ARM throws this 403 client-side error after counting your existing accounts and blocking creation. The limit applies per region, so you might have headroom elsewhere. Most common when spinning up storage for VM disk backups, but also surfaces in AKS container registries, Azure SQL backup storage, and App Service application files.
Blob Service Unavailable: Temporary Service Outage
When BlobServiceUnavailable appears, Azure's blob storage is down in your region—could be planned maintenance, an unplanned outage, or throttling from peak load. This 503 server-side error means Azure's platform is the problem, not your request. The service returns 503 during these windows. You'll see this most when accessing blob storage for VM disk backups, but it also happens with AKS container images, Azure SQL database backups, and App Service application files. Usually transient—exponential backoff retries or waiting for service restoration typically fixes it.
AAD Invalid Client Secret: Secret Expired or Revoked
AADInvalidClientSecret means Azure AD (Entra ID) bounced your client secret—it's expired past its endDate, manually revoked, rotated without updating your config, or has typos/encoding issues. This 401 client-side error happens when Azure AD validates secrets before issuing OAuth tokens. Most common in service principal auth for VM deployments, but also shows up in AKS cluster authentication, Azure SQL database connections, and App Service deployment operations. The secret must match exactly what's stored in Azure AD.
AAD Invalid Tenant ID: Tenant Does Not Exist
AADInvalidTenantId surfaces when Azure AD (Entra ID) can't validate your tenant ID—wrong GUID format, tenant doesn't exist, or you lack access to it. This 401 client-side error occurs when Azure AD checks tenant IDs before processing auth requests. Tenant IDs must be valid GUIDs (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) pointing to real Azure AD tenants. Cross-tenant access needs B2B federation or guest user invites. Most common in service principal auth for VM deployments, but also appears in AKS cluster authentication, Azure SQL database connections, and App Service deployments.
AAD User Not Found: User Does Not Exist
Seeing AADUserNotFound tells you Azure AD (Entra ID) couldn't locate the user—UPN format is wrong (must be user@domain), user was deleted, or they're in another tenant you can't access. This 404 client-side error happens when Azure AD validates user identifiers before operations. Most common in RBAC role assignments for VM access, but also surfaces in AKS cluster RBAC, Azure SQL database user management, and App Service deployment permissions. Cross-tenant access requires B2B federation or guest user invitations. Soft-deleted users may be recoverable within the 30-day retention window.
AAD Group Not Found: Group Does Not Exist
AADGroupNotFound shows up when Azure AD (Entra ID) couldn't resolve the group—display name typo, wrong object ID, deleted group, or it's in another tenant you can't access. This 404 client-side error occurs when Azure AD validates group identifiers before operations. Most common in RBAC role assignments for VM access, but also appears in AKS cluster RBAC, Azure SQL database user management, and App Service deployment permissions. Cross-tenant access needs B2B federation or guest user invites. Group identifiers are case-sensitive for display names.
VM Network Interface Not Found: Interface Missing or Detached
VMNetworkInterfaceNotFound means ARM couldn't locate the network interface—wrong name/ID, interface was deleted, or it's detached from the VM. This 404 client-side error happens when ARM validates network interface references before VM operations. VMs need at least one network interface attached for connectivity. While specific to Virtual Machines, similar NIC lookup issues occur in AKS node network interfaces and App Service networking. The interface must exist and be attached for operations to work.
VM Deployment Failed: Template or Extension Error
VMDeploymentFailed signals your ARM template deployment crashed before the VM finished provisioning—template syntax errors, extension install failures, or missing/invalid dependencies (networks, storage, images). ARM throws this 400/409 client-side error after validating templates and dependencies. Failures can hit during VM creation, configuration, or extension installation. While specific to Virtual Machines, similar deployment failures happen in AKS cluster deployments and App Service app deployments. The deployment's provisioningState shows "Failed" with detailed errors in deployment operations.
Storage Container Quota Exceeded: Container Limit Reached
StorageContainerQuotaExceeded triggers when you've maxed out containers in the storage account—default is unlimited, but custom quotas or service-level limits can cap container count. ARM returns this 403 client-side error after checking container count against configured limits. Quotas vary by storage account type (Standard vs Premium) and can be set at the account level. Most common when creating containers for VM disk backups, but also appears in AKS container image storage, Azure SQL backup storage, and App Service application file storage.
Blob Lease ID Missing: Lease Required for Operation
Getting BlobLeaseIdMissing means your blob operation needs a lease ID in the x-ms-lease-id header, but you didn't provide one. Some operations (delete, update, metadata changes) require active leases to prevent concurrent modifications. Azure Storage returns this 409 client-side error when lease validation fails. Leases expire after their duration (typically 15-60 seconds, configurable). Most common when managing blobs for VM disk backups, but also surfaces in AKS container image updates, Azure SQL backup blob operations, and App Service application file updates.
VMSS Instance Not Found: Instance Does Not Exist
Hitting VMSSInstanceNotFound means ARM couldn't locate the scale set instance—wrong instance ID (usually numeric like 0, 1, 2), instance was deleted, or it's deallocated (stopped and deallocated). This 404 client-side error occurs when ARM validates instance IDs before operations. While specific to Virtual Machine Scale Sets, similar instance lookup failures happen in AKS node instances and App Service app service instances. Deallocated instances need to be started before most operations work. Scale sets may auto-create instances based on capacity settings.
AAD Application Not Found: Application Does Not Exist
AADApplicationNotFound appears when Azure AD (Entra ID) couldn't resolve the application registration—wrong application ID (client ID) or object ID, app was deleted, or it's in another tenant you can't access. This 404 client-side error happens when Azure AD validates application identifiers before operations. Application IDs must be valid GUIDs. Most common in service principal authentication for VM deployments, but also appears in AKS cluster authentication, Azure SQL database connections, and App Service deployment operations. Cross-tenant access requires B2B federation or guest user invitations.
VM OS Disk Not Found: Disk Missing or Detached
Hitting VMOSDiskNotFound during a VM operation means ARM lost track of the OS disk—either the disk name/ID in your VM's storage profile is wrong, the disk got deleted, or it's sitting detached in your resource group. This 404 client-side error hits when ARM validates disk references before VM operations. VMs need an OS disk attached for boot and most operations. While specific to Virtual Machines, similar disk lookup failures happen in AKS node OS disks and App Service storage. The disk must exist in the same resource group or subscription and be properly referenced in the VM's storageProfile.osDisk.
Storage Table Not Found: Table Does Not Exist
Seeing StorageTableNotFound means Azure Table Storage couldn't resolve your table—name format violates DNS rules, the table never got created, or it was deleted (and unlike blobs, there's no soft-delete recovery). This 404 client-side error happens when Azure Storage validates table names before operations. Table names must be DNS-compliant (3-63 characters, alphanumeric plus hyphens, no consecutive hyphens, start/end with alphanumeric). Most common when accessing Table Storage for application data, but also surfaces in AKS application state storage, Azure SQL metadata tables, and App Service configuration storage. Once deleted, tables are permanently gone—no recovery window.
VM Extension Not Found: Extension Not Installed
Getting VMExtensionNotFound tells you ARM can't locate the VM extension—name typo, extension never got installed, or someone removed it. This 404 client-side error occurs when ARM validates extension references before VM operations. Extensions don't auto-install on VM creation—you must explicitly install them. While specific to Virtual Machines, similar extension lookup failures happen in AKS node extensions and App Service site extensions. Extension names must match exactly what's installed (case-sensitive), including the publisher and version you specified during installation.
AAD Service Principal Not Found: Principal Does Not Exist
AADServicePrincipalNotFound surfaces when Azure AD (Entra ID) can't find the service principal—wrong object ID or application ID, the principal never got created from your app registration, or it was deleted. This 404 client-side error happens when Azure AD validates service principal identifiers before operations. Service principals don't auto-create when you register an app—you must explicitly create them using 'az ad sp create'. Most common in service principal authentication for VM deployments, but also appears in AKS cluster authentication, Azure SQL database connections, and App Service deployment operations. Service principal IDs must be valid GUIDs.
Permission Denied: IAM Authorization Failure
Hitting PERMISSION_DENIED means your authenticated identity got past login but lacks the IAM role or permission GCP requires for this operation. This server-side authorization failure happens in GCP's control plane—your credentials are valid, but GCP evaluated your request and blocked it. You'll see this most often in Compute Engine VM operations, but it also surfaces in Cloud SQL database management, GKE cluster operations, and BigQuery dataset access. IAM role assignments can take 30-60 seconds to propagate, so recent grants might not be active yet.
Unauthenticated: Missing or Invalid Credentials
UNAUTHENTICATED means GCP can't validate your credentials—either your request has no auth credentials, your service account key is expired or revoked, or the GOOGLE_APPLICATION_CREDENTIALS environment variable isn't set. This client-side error happens before GCP even checks permissions. Most common in Compute Engine API calls, but also appears in Cloud SQL database connections, GKE cluster API access, and BigQuery query execution. OAuth tokens expire after about an hour, while service account keys don't expire by default unless revoked.
Not Found: Resource Does Not Exist
Seeing NOT_FOUND tells you GCP couldn't locate the resource—wrong resource name, ID, or path; the resource was deleted; or you're querying the wrong project, region, or zone. This client-side error happens during resource lookup in the control plane. Resource identifiers are case-sensitive and must match exactly. Most common in Compute Engine when referencing VMs, disks, or networks, but also surfaces in Cloud SQL database instances, GKE clusters and node pools, and BigQuery datasets and tables. Some services support soft-delete with recovery windows, but timing varies.
Already Exists: Resource Name Conflict
ALREADY_EXISTS hits when you're trying to create a resource with a name that's already taken in the same project and region/zone scope. This client-side error means GCP enforces name uniqueness—your chosen name conflicts with an existing resource. Most common in Compute Engine when creating VMs, disks, or networks, but also appears in Cloud SQL database instances, GKE cluster names, and BigQuery dataset names. Resource names are scoped per zone for Compute Engine, per region for Cloud SQL, and per project for GKE clusters. Recently deleted resources may still reserve names during deletion grace periods.
Invalid Argument: Parameter Validation Failure
INVALID_ARGUMENT means your request parameters failed GCP's validation—missing required fields, wrong data types (string instead of integer), or values that break constraints. This client-side error happens in the control plane before operations start. Most common in Compute Engine when using invalid zones, unsupported machine types, or disk size violations, but also surfaces in Cloud SQL with invalid database versions or regions, GKE with malformed node pool configs, and BigQuery with SQL syntax errors or schema mismatches. GCP validates parameter types strictly—passing "123" as a string when an integer is required will fail.
Failed Precondition: System State Mismatch
FAILED_PRECONDITION means the system state blocks your operation—trying to stop an already-stopped VM, modifying a Cloud SQL database during backup, scaling a GKE cluster mid-upgrade, or querying a BigQuery table being deleted. This can be client-side (wrong resource state, missing prerequisites) or transient server-side (dependency not ready, resource locked by another operation). Most common in Compute Engine when operating on resources in wrong states, but also appears in Cloud SQL during maintenance windows, GKE during cluster operations, and BigQuery during table mutations. GCP locks resources during operations to prevent concurrent modifications.
Resource Exhausted: Quota or Capacity Limit Reached
RESOURCE_EXHAUSTED hits when you've maxed out quotas (project or regional limits), hit a temporary capacity stockout in that zone, or exhausted disk space. This can be client-side (you've used all your quota) or server-side (GCP temporarily lacks capacity). Most common in Compute Engine when you've hit VM instance quotas, disk quotas, or regional capacity limits, but also appears in Cloud SQL instance and storage quotas, GKE cluster and node quotas, and BigQuery query and storage quotas. Regional stockouts are transient—try different zones or retry later. Quota exhaustion is persistent until you free resources or request increases.
Out of Range: Parameter Value Violation
OUT_OF_RANGE means your parameter value breaches GCP's allowed bounds—disk size exceeds maximum (64 TB) or is below minimum (10 GB), port numbers outside 1-65535, or array indices beyond valid bounds. This client-side error happens during parameter validation in the control plane. Most common in Compute Engine with disk sizes and port numbers, but also surfaces in Cloud SQL with storage size limits and backup retention days, GKE with node pool and cluster size constraints, and BigQuery with query size limits. Range limits vary by service and resource type—standard disks have different limits than SSDs, and Cloud SQL tier limits differ by instance size.
Unimplemented: Operation Not Supported
UNIMPLEMENTED surfaces when the operation you're calling doesn't exist, isn't enabled for your project, or isn't available in your API version, region, or service tier. This client-side error happens during operation validation in the control plane. Most common in Compute Engine when using alpha/beta features without the right API version, or when machine types aren't available in that zone. Also appears in Cloud SQL with unsupported database engine versions or regional features, GKE with unavailable Kubernetes versions or regional capabilities, and BigQuery with SQL functions not supported in your region. Alpha and beta features require gcloud alpha or gcloud beta commands, not the stable API.
Internal Error: System Failure
INTERNAL means GCP's backend systems hit an unexpected failure—system invariants broke, indicating a platform bug or infrastructure issue, not your request. This server-side error happens in GCP's control plane or backend services. Most common in Compute Engine during VM provisioning or disk operations, but also surfaces in Cloud SQL database operations, GKE cluster management, and BigQuery query execution. Usually transient—exponential backoff retries often succeed once GCP recovers, but persistent cases require waiting for Google to fix the underlying issue.
Unavailable: Service Temporarily Down
UNAVAILABLE hits when GCP's service is temporarily down—planned maintenance, traffic overload, or unplanned regional outages prevent the backend from processing requests. This server-side error means GCP's infrastructure is the problem, not your request. Most common in Compute Engine when APIs go down or regions experience outages, but also appears in Cloud SQL during connection failures, GKE when cluster APIs are unavailable, and BigQuery when query services are overloaded. Usually transient—exponential backoff retries typically succeed once service recovers, but regional outages may require switching zones.
Deadline Exceeded: Operation Timeout
DEADLINE_EXCEEDED means your operation exceeded its timeout—either your client timeout is too short for large VM creation or disk operations, or GCP's backend is slow. This can be client-side (timeout too aggressive) or server-side (backend processing delays). Most common in Compute Engine when creating large VMs or performing disk snapshots, but also surfaces in Cloud SQL during long database migrations, GKE during cluster provisioning, and BigQuery with complex long-running queries. GCP enforces timeouts to prevent indefinite hangs—operations that take longer than the allowed duration get cancelled.
Aborted: Concurrency Conflict
ABORTED surfaces when GCP aborts your operation due to a concurrency conflict—another operation modified the resource between your read and write, triggering optimistic concurrency control. This server-side error happens when GCP detects state changes during concurrency validation in the control plane or backend. Most common in Compute Engine when multiple processes update VMs simultaneously, but also appears in Cloud SQL during concurrent database modifications, GKE during parallel cluster updates, and BigQuery when multiple clients modify tables at once. Usually transient—reading fresh resource state and retrying with exponential backoff typically resolves conflicts.
Quota Exceeded: Resource Limit Reached
QUOTA_EXCEEDED hits when you've maxed out your project or regional quota for a resource type—GCP's control plane enforces hard limits per project and per region. This server-side error means you've hit the ceiling for VM instances, disks, Cloud SQL instances, GKE clusters, or BigQuery query quotas. Most common in Compute Engine when you've created the maximum allowed VMs or disks, but also appears in Cloud SQL instance quotas, GKE cluster and node quotas, and BigQuery query and storage quotas. Quota exhaustion is persistent until you delete unused resources or request increases via Cloud Console—unlike RESOURCE_EXHAUSTED, this specifically indicates quota limits, not capacity stockouts.
Invalid State: Resource State Mismatch
INVALID_STATE means the resource is in a state that blocks your operation—trying to stop an already-stopped VM, delete a resource mid-creation, or modify a Cloud SQL database during backup. This can be client-side (wrong resource state) or server-side (resource locked by another operation). Most common in Compute Engine when operating on VMs in wrong states, but also appears in Cloud SQL during maintenance windows, GKE during cluster upgrades (RECONCILING state), and BigQuery when querying tables being deleted. GCP validates resource states before operations—state machines vary by service, and some transitions require intermediate steps.
Cancelled: Operation Terminated
CANCELLED means the operation was terminated before completion—either you explicitly cancelled it, a client timeout killed it, or GCP's system cancelled it due to resource constraints. This can be client-side (user cancellation, timeout) or server-side (system cancellation). Most common in Compute Engine when VM operations get cancelled, but also appears in Cloud SQL during cancelled database operations, GKE during cancelled cluster operations, and BigQuery when queries are cancelled. Unlike ABORTED (which indicates concurrency conflicts), CANCELLED means intentional or automatic termination—operations that exceed timeouts or get manually stopped return this error.
Data Loss: Unrecoverable Data Corruption
DATA_LOSS indicates unrecoverable data corruption or permanent loss—GCP's backend storage systems detected integrity failures that can't be fixed automatically. This critical server-side error means data is corrupted, lost, or damaged beyond recovery. Most common in Compute Engine when disks suffer storage failures or corruption, but also appears in Cloud SQL with database corruption, GKE with persistent volume corruption, and BigQuery with table data corruption. This is a permanent issue—you must restore from backups or snapshots if available, or contact GCP support for recovery assistance.
Invalid Request: Malformed Request Format
INVALID_REQUEST means your request format is broken—malformed JSON, unclosed brackets, missing required fields, or parameters in wrong formats. This client-side error happens during request parsing in the control plane before GCP validates parameter values. Most common in Compute Engine with malformed API requests, but also appears in Cloud SQL with invalid database configuration structures, GKE with malformed cluster configs, and BigQuery with invalid query syntax. Unlike INVALID_ARGUMENT (which indicates wrong parameter values), INVALID_REQUEST means the request structure itself is invalid—GCP can't parse it.