AWS

CredentialsNotSupported

AWS CredentialsNotSupported (Credentials Not Supported) means the request type does not support credentials. In Amazon S3, this error returns HTTP 400.

Last reviewed: March 3, 2026|Source-backed guidance under our editorial policy

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

This page is part of the Error Reference library. Learn more about the project or report a correction.

What Does Credentials Not Supported Mean?

Requests fail at authentication compatibility checks, so object access paths stay down until endpoint capability and credential strategy are aligned.

Common Causes

-Authorization credentials are sent to an S3 access path that expects anonymous requests.
-Global middleware injects Authorization or x-amz-security-token into routes that should be unsigned.
-Client routing sends signed traffic to a website-style endpoint that does not accept request authentication.
-A shared HTTP client reuses auth interceptors across both public and signed S3 workflows.

How to Fix Credentials Not Supported

1Identify whether the target endpoint supports signed requests or requires anonymous access.
2Strip Authorization and token headers from routes that must be unsigned.
3Route signed operations to standard S3 API endpoints and leave website/public endpoints unsigned.
4Retest with SDK defaults to confirm endpoint selection and auth mode are consistent.

Step-by-Step Diagnosis for Credentials Not Supported

1Capture full request URL, host, headers, and request IDs from the failing call.
2Classify the endpoint (S3 REST API vs S3 website endpoint) before analyzing auth artifacts.
3Inspect proxies/gateways for automatic credential header injection on public paths.
4Compare the failing request with a known-good SDK request generated for the same endpoint type.

Endpoint Capability Validation

-Verify endpoint class before auth decisions (example: s3-website endpoint for static hosting should be accessed anonymously, not with SigV4 headers).
-Audit route-level endpoint mapping in clients and gateways (example: download route accidentally points to website endpoint while still attaching IAM credentials).

Credential Injection Hygiene Checks

-Inspect outbound headers for forced auth injection (example: shared interceptor adds x-amz-security-token to all requests regardless of route).
-Compare failing traffic with clean SDK defaults to isolate custom transport side effects (example: SDK call succeeds, custom axios middleware call fails).

Seen in Production

Frontend sends presigned URL request with extra Authorization header

Frequency: common

Example: Browser extension or proxy injects auth header and S3 rejects mixed auth mode request.

Fix: Strip auth headers for presigned URL flows and keep query-signature-only transport.

Reverse proxy template adds credentials to all outbound AWS requests

Frequency: rare

Example: Static-content path expected unsigned requests but gateway globally injected IAM auth headers.

Fix: Scope credential injection rules by route and endpoint type.

Debugging Tools

-HTTP header capture tooling
-AWS CLI --debug
-Proxy rewrite logs
-Auth mode integration tests

How to Verify the Fix

-Replay the same request path and confirm CredentialsNotSupported no longer appears.
-Validate expected auth mode is consistently applied across clients.
-Confirm auth-related 4xx rates drop for the affected endpoint.

How to Prevent Recurrence

-Enforce one auth strategy per endpoint in shared client libraries.
-Add integration tests that fail when mixed auth headers/query signatures are present.
-Monitor request traces for unexpected Authorization header injection.

Pro Tip

-encode endpoint class in your HTTP client abstraction so unsigned website paths and signed API paths cannot share the same auth middleware chain.

Official References

Provider Context

This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

Common Causes

-Authorization credentials are sent to an S3 access path that expects anonymous requests.

-Global middleware injects Authorization or x-amz-security-token into routes that should be unsigned.

-Client routing sends signed traffic to a website-style endpoint that does not accept request authentication.

-A shared HTTP client reuses auth interceptors across both public and signed S3 workflows.

How to Fix Credentials Not Supported

1Identify whether the target endpoint supports signed requests or requires anonymous access.

2Strip Authorization and token headers from routes that must be unsigned.

3Route signed operations to standard S3 API endpoints and leave website/public endpoints unsigned.

4Retest with SDK defaults to confirm endpoint selection and auth mode are consistent.

Step-by-Step Diagnosis for Credentials Not Supported

1Capture full request URL, host, headers, and request IDs from the failing call.

2Classify the endpoint (S3 REST API vs S3 website endpoint) before analyzing auth artifacts.

3Inspect proxies/gateways for automatic credential header injection on public paths.

4Compare the failing request with a known-good SDK request generated for the same endpoint type.

Endpoint Capability Validation

-Verify endpoint class before auth decisions (example: s3-website endpoint for static hosting should be accessed anonymously, not with SigV4 headers).
-Audit route-level endpoint mapping in clients and gateways (example: download route accidentally points to website endpoint while still attaching IAM credentials).

Credential Injection Hygiene Checks

-Inspect outbound headers for forced auth injection (example: shared interceptor adds x-amz-security-token to all requests regardless of route).
-Compare failing traffic with clean SDK defaults to isolate custom transport side effects (example: SDK call succeeds, custom axios middleware call fails).

Seen in Production

Frontend sends presigned URL request with extra Authorization header

Frequency: common

Example: Browser extension or proxy injects auth header and S3 rejects mixed auth mode request.

Fix: Strip auth headers for presigned URL flows and keep query-signature-only transport.

Reverse proxy template adds credentials to all outbound AWS requests

Frequency: rare

Example: Static-content path expected unsigned requests but gateway globally injected IAM auth headers.

Fix: Scope credential injection rules by route and endpoint type.

Start Here

What Does Credentials Not Supported Mean?

Common Causes

How to Fix Credentials Not Supported

Step-by-Step Diagnosis for Credentials Not Supported

Endpoint Capability Validation

Credential Injection Hygiene Checks

Seen in Production

Frontend sends presigned URL request with extra Authorization header

Reverse proxy template adds credentials to all outbound AWS requests

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Pro Tip

Related Errors

Official References

Provider Context

Start Here

What Does Credentials Not Supported Mean?

Common Causes

How to Fix Credentials Not Supported

Step-by-Step Diagnosis for Credentials Not Supported

Endpoint Capability Validation

Credential Injection Hygiene Checks

Seen in Production

Frontend sends presigned URL request with extra Authorization header

Reverse proxy template adds credentials to all outbound AWS requests

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Pro Tip

Related Errors

Official References

Provider Context