CredentialsNotSupported
AWS CredentialsNotSupported (Credentials Not Supported) means the request type does not support credentials. In Amazon S3, this error returns HTTP 400.
Last reviewed: February 12, 2026|Editorial standard: source-backed technical guidance
What Does Credentials Not Supported Mean?
Requests fail at authentication compatibility checks, so object access paths stay down until endpoint capability and credential strategy are aligned.
Common Causes
- -Authorization credentials are sent to an S3 access path that expects anonymous requests.
- -Global middleware injects Authorization or x-amz-security-token into routes that should be unsigned.
- -Client routing sends signed traffic to a website-style endpoint that does not accept request authentication.
- -A shared HTTP client reuses auth interceptors across both public and signed S3 workflows.
How to Fix Credentials Not Supported
- 1Identify whether the target endpoint supports signed requests or requires anonymous access.
- 2Strip Authorization and token headers from routes that must be unsigned.
- 3Route signed operations to standard S3 API endpoints and leave website/public endpoints unsigned.
- 4Retest with SDK defaults to confirm endpoint selection and auth mode are consistent.
Step-by-Step Diagnosis for Credentials Not Supported
- 1Capture full request URL, host, headers, and request IDs from the failing call.
- 2Classify the endpoint (S3 REST API vs S3 website endpoint) before analyzing auth artifacts.
- 3Inspect proxies/gateways for automatic credential header injection on public paths.
- 4Compare the failing request with a known-good SDK request generated for the same endpoint type.
Endpoint Capability Validation
- -Verify endpoint class before auth decisions (example: s3-website endpoint for static hosting should be accessed anonymously, not with SigV4 headers).
- -Audit route-level endpoint mapping in clients and gateways (example: download route accidentally points to website endpoint while still attaching IAM credentials).
Credential Injection Hygiene Checks
- -Inspect outbound headers for forced auth injection (example: shared interceptor adds x-amz-security-token to all requests regardless of route).
- -Compare failing traffic with clean SDK defaults to isolate custom transport side effects (example: SDK call succeeds, custom axios middleware call fails).
How to Verify the Fix
- -Replay the same request path and confirm CredentialsNotSupported no longer appears.
- -Validate expected auth mode is consistently applied across clients.
- -Confirm auth-related 4xx rates drop for the affected endpoint.
How to Prevent Recurrence
- -Enforce one auth strategy per endpoint in shared client libraries.
- -Add integration tests that fail when mixed auth headers/query signatures are present.
- -Monitor request traces for unexpected Authorization header injection.
Pro Tip
- -encode endpoint class in your HTTP client abstraction so unsigned website paths and signed API paths cannot share the same auth middleware chain.
Decision Support
Compare Guide
HTTP 400 vs 422: Bad Request vs Unprocessable Content
Fix API payload issues faster by using 400 for malformed syntax and 422 for semantic validation failures, so clients correct format before business rules.
Playbook
CORS Error Fix Playbook (Preflight / Origin / Credentials)
Use this playbook to separate browser-enforced cross-origin policy failures from server-side CORS header and route defects and apply strict origin and credential controls safely.
Playbook
Validation Failure Playbook (400 / 422 / INVALID_ARGUMENT)
Use this playbook to separate malformed-request failures from semantic validation failures, then fix request contracts without broad server-side bypasses.
Official References
Provider Context
This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.