AWS

InvalidAction

AWS InvalidAction (Invalid Action) means the action or operation requested is invalid. In AWS APIs, this error returns HTTP 400.

Last reviewed: May 4, 2026|Source-backed guidance under our editorial policy

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

This page is part of the Error Reference library. Learn more about the project or report a correction.

What Does Invalid Action Mean?

When InvalidAction is returned, the request reaches AWS but the requested operation token is not recognized for that endpoint, so execution stops before business logic runs.

Common Causes

-The Action value is misspelled or not supported by the targeted AWS service API.
-Request is sent to the wrong service endpoint, so valid action name is unknown there.
-Client references deprecated/unsupported API version or action mapping.
-Manual query construction strips or rewrites the action parameter unexpectedly.

How to Fix Invalid Action

1Verify action name against the exact service API reference for the chosen endpoint.
2Use official SDK/CLI command mappings instead of hard-coded action strings.
3Confirm request is routed to the intended AWS service and region endpoint.
4Regenerate signed request after correcting action and version parameters.

Step-by-Step Diagnosis for Invalid Action

1Capture full query string, endpoint host, and request ID from the failing request.
2Diff failing action/version pair against a known-good SDK-generated request.
3Inspect proxy/gateway transformations that may alter query parameters.
4Validate service discovery/routing config used by the caller.

Action Resolution Checks

-Verify the Action value against the target service API and version (example: action string valid in one AWS API family is invalid on another endpoint).
-Inspect service endpoint routing and hostname selection (example: request is sent to a different service domain where the action token is unknown).

Query Construction Audit

-Parse final query string immediately before signing and send (example: middleware rewrites or strips the Action parameter after request assembly).
-Trace API-version mappings in custom clients (example: deprecated action alias remains in legacy script while SDK mapping moved to a new operation).

Decision Shortcut: Bad Action vs Wrong Endpoint

-If the same action works through the official AWS CLI, diff the endpoint host, API version, and final query string from the custom client.
-If the action name is valid for another AWS service, fix service routing before changing request signing or credentials.
-If the action token is absent in the final wire request, inspect proxy, middleware, or serializer code that mutates query parameters after assembly.

Wrong Fix to Avoid

-Do not rotate credentials or widen IAM permissions for InvalidAction; AWS is rejecting the operation token, not the caller identity.
-Do not retry the same malformed action string with backoff; the failure is deterministic until endpoint or action mapping changes.
-Do not hard-code Query API action names in new code when an official SDK operation exists.

Implementation Examples

Capture the SDK baseline for the intended operationbash

aws ec2 describe-instances \
  --region us-east-1 \
  --debug 2>&1 \
  | sed -n '/Making request/,/Response headers/p'

Inspect the final Query API action before signingbash

printf '%s\n' "$SIGNED_URL" \
  | sed 's/[?&]/\n/g' \
  | grep -E '^(Action|Version)='

# Expected example:
# Action=DescribeInstances
# Version=2016-11-15

Incident Timeline

12:04 UTC

Custom client builds a Query API request

Signal: The caller constructs endpoint, Action, Version, and signed query parameters outside the official SDK path.

Why it matters: The evidence to capture is the final URL and signed query immediately before dispatch, not only the source template.

12:05 UTC

AWS returns InvalidAction before operation execution

Signal: The response includes InvalidAction even though credentials and network path are valid enough to reach AWS.

Why it matters: Focus on action-to-service mapping, API version, and endpoint host. IAM changes will not make an unknown action valid.

12:13 UTC

CLI or SDK request provides a known-good baseline

Signal: A generated SDK/CLI request shows a different action name, endpoint, or API version than the failing custom request.

Why it matters: Use the generated request as the contract and update custom routing or remove the raw Query API path.

12:25 UTC

Regression test locks the endpoint/action pair

Signal: Contract tests now fail if service endpoint, API version, or action token drifts from the supported operation.

Why it matters: The durable fix is preventing unsupported action strings from shipping again.

Seen in Production

Gateway routes IAM request to EC2 endpoint

Frequency: common

Example: Action string is valid for one service but endpoint mismatch returns InvalidAction.

Fix: Align endpoint routing with service-specific action mappings.

Legacy script uses deprecated action name after API migration

Frequency: rare

Example: Automation keeps old action token while backend now expects updated operation mapping.

Fix: Version-lock client mappings and run API compatibility tests during upgrades.

Wrong Fix vs Better Fix

Permission debugging vs operation mapping

Wrong fix: Inspect IAM policies and add allows for an operation AWS does not recognize on that endpoint.

Better fix: Map the failing action to the exact AWS service endpoint and API version, then compare with SDK-generated requests.

Why this is better: The request must name a valid operation before authorization can matter.

Raw query construction vs SDK operation

Wrong fix: Keep manually concatenating Action and Version strings in application code.

Better fix: Use the official SDK operation or centralize Query API mapping behind tested client code.

Why this is better: SDK-generated requests track service models and reduce drift when API names, versions, or endpoints change.

Debugging Tools

-AWS CLI --debug
-Service endpoint routing logs
-Query string diff tooling
-SDK operation mapping tests

How to Verify the Fix

-Replay the same call and confirm InvalidAction is no longer returned.
-Confirm intended operation executes and returns expected response schema.
-Run regression tests for action routing and query construction paths.

How to Prevent Recurrence

-Centralize action-to-endpoint mappings in versioned client libraries.
-Ban raw action strings in application code where SDK operations exist.
-Alert on InvalidAction spikes by service, endpoint, and deploy version.

Pro Tip

-keep an allowlist of supported action names per service/version in CI and fail builds when unknown action tokens are introduced.

Official References

Provider Context

This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

Common Causes

-The Action value is misspelled or not supported by the targeted AWS service API.

-Request is sent to the wrong service endpoint, so valid action name is unknown there.

-Client references deprecated/unsupported API version or action mapping.

-Manual query construction strips or rewrites the action parameter unexpectedly.

How to Fix Invalid Action

1Verify action name against the exact service API reference for the chosen endpoint.

2Use official SDK/CLI command mappings instead of hard-coded action strings.

3Confirm request is routed to the intended AWS service and region endpoint.

4Regenerate signed request after correcting action and version parameters.

Step-by-Step Diagnosis for Invalid Action

1Capture full query string, endpoint host, and request ID from the failing request.

2Diff failing action/version pair against a known-good SDK-generated request.

3Inspect proxy/gateway transformations that may alter query parameters.

4Validate service discovery/routing config used by the caller.

Action Resolution Checks

-Verify the Action value against the target service API and version (example: action string valid in one AWS API family is invalid on another endpoint).
-Inspect service endpoint routing and hostname selection (example: request is sent to a different service domain where the action token is unknown).

Query Construction Audit

-Parse final query string immediately before signing and send (example: middleware rewrites or strips the Action parameter after request assembly).
-Trace API-version mappings in custom clients (example: deprecated action alias remains in legacy script while SDK mapping moved to a new operation).

Decision Shortcut: Bad Action vs Wrong Endpoint

-If the same action works through the official AWS CLI, diff the endpoint host, API version, and final query string from the custom client.
-If the action name is valid for another AWS service, fix service routing before changing request signing or credentials.
-If the action token is absent in the final wire request, inspect proxy, middleware, or serializer code that mutates query parameters after assembly.

Wrong Fix to Avoid

-Do not rotate credentials or widen IAM permissions for InvalidAction; AWS is rejecting the operation token, not the caller identity.
-Do not retry the same malformed action string with backoff; the failure is deterministic until endpoint or action mapping changes.
-Do not hard-code Query API action names in new code when an official SDK operation exists.

Implementation Examples

Capture the SDK baseline for the intended operationbash

aws ec2 describe-instances \
  --region us-east-1 \
  --debug 2>&1 \
  | sed -n '/Making request/,/Response headers/p'

Inspect the final Query API action before signingbash

printf '%s\n' "$SIGNED_URL" \
  | sed 's/[?&]/\n/g' \
  | grep -E '^(Action|Version)='

# Expected example:
# Action=DescribeInstances
# Version=2016-11-15

Incident Timeline

12:04 UTC

Custom client builds a Query API request

Signal: The caller constructs endpoint, Action, Version, and signed query parameters outside the official SDK path.

Why it matters: The evidence to capture is the final URL and signed query immediately before dispatch, not only the source template.

12:05 UTC

AWS returns InvalidAction before operation execution

Signal: The response includes InvalidAction even though credentials and network path are valid enough to reach AWS.

Why it matters: Focus on action-to-service mapping, API version, and endpoint host. IAM changes will not make an unknown action valid.

12:13 UTC

CLI or SDK request provides a known-good baseline

Signal: A generated SDK/CLI request shows a different action name, endpoint, or API version than the failing custom request.

Why it matters: Use the generated request as the contract and update custom routing or remove the raw Query API path.

12:25 UTC

Regression test locks the endpoint/action pair

Signal: Contract tests now fail if service endpoint, API version, or action token drifts from the supported operation.

Why it matters: The durable fix is preventing unsupported action strings from shipping again.

Seen in Production

Gateway routes IAM request to EC2 endpoint

Frequency: common

Example: Action string is valid for one service but endpoint mismatch returns InvalidAction.

Fix: Align endpoint routing with service-specific action mappings.

Legacy script uses deprecated action name after API migration

Frequency: rare

Example: Automation keeps old action token while backend now expects updated operation mapping.

Fix: Version-lock client mappings and run API compatibility tests during upgrades.

Wrong Fix vs Better Fix

Permission debugging vs operation mapping

Wrong fix: Inspect IAM policies and add allows for an operation AWS does not recognize on that endpoint.

Better fix: Map the failing action to the exact AWS service endpoint and API version, then compare with SDK-generated requests.

Why this is better: The request must name a valid operation before authorization can matter.

Raw query construction vs SDK operation

Wrong fix: Keep manually concatenating Action and Version strings in application code.

Better fix: Use the official SDK operation or centralize Query API mapping behind tested client code.

Why this is better: SDK-generated requests track service models and reduce drift when API names, versions, or endpoints change.

Start Here

What Does Invalid Action Mean?

Common Causes

How to Fix Invalid Action

Step-by-Step Diagnosis for Invalid Action

Action Resolution Checks

Query Construction Audit

Decision Shortcut: Bad Action vs Wrong Endpoint

Wrong Fix to Avoid

Implementation Examples

Incident Timeline

Custom client builds a Query API request

AWS returns InvalidAction before operation execution

CLI or SDK request provides a known-good baseline

Regression test locks the endpoint/action pair

Seen in Production

Gateway routes IAM request to EC2 endpoint

Legacy script uses deprecated action name after API migration

Wrong Fix vs Better Fix

Permission debugging vs operation mapping

Raw query construction vs SDK operation

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Pro Tip

Related Errors

Official References

Provider Context

Start Here

What Does Invalid Action Mean?

Common Causes

How to Fix Invalid Action

Step-by-Step Diagnosis for Invalid Action

Action Resolution Checks

Query Construction Audit

Decision Shortcut: Bad Action vs Wrong Endpoint

Wrong Fix to Avoid

Implementation Examples

Incident Timeline

Custom client builds a Query API request

AWS returns InvalidAction before operation execution

CLI or SDK request provides a known-good baseline

Regression test locks the endpoint/action pair

Seen in Production

Gateway routes IAM request to EC2 endpoint

Legacy script uses deprecated action name after API migration

Wrong Fix vs Better Fix

Permission debugging vs operation mapping

Raw query construction vs SDK operation

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Pro Tip

Related Errors

Official References

Provider Context