/s4-specs

S4 APIs

This document describes S4 coverage of IAM and S3 APIs.

1. Common Details

This section addresses common details shared among S4 offered APIs: S3 and IAM.

1.1. Account Identification

The account ID is 15 base10 (i.e. 0-9) digit string. It is padded with leading zeros if necessary.

1.2. Endpoints

Available S4 endpoints:

Endpoint Location
eu-central-1.s4.mega.io Amsterdam
ca-central-1.s4.mega.io Montreal
ca-west-1.s4.mega.io Vancouver

Ensure to prefix the appropriate service code to the endpoint when constructing the API URL:

  • For object storage/S3, use prefix s3. e.g.: s3.eu-central-1.s4.mega.io
  • For IAM, use prefix iam. e.g.: iam.eu-central-1.s4.mega.io

Please note the endpoint g.s4.mega.io is also available which currently points to eu-central-1.s4.mega.io.

Unlike S3, S4 allows to retrieve objects in any bucket through any available region.

1.3. Errors

1.3.1. S3 Error Format

S4 meets S3 error formatting. e.g.:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>NoSuchKey</Code>
  <Message>The specified key does not exist.</Message>
  <Resource>/myobj</Resource>
  <RequestId>HC0000000000000001</RequestId>
</Error>

The value of Code is one of the standard IAM or S3 error codes. The value of Message is a human-readable indication of what the origin of the problem is.

1.3.2. Common Errors

Service preamble

Errors that may occur in any S4 service during common service initialization (parsing, authorization and policy validation). Note that these errors can also occur due to additional causes specific to the distinct services. Those are listed at each service specs.

Error Code Description HTTP Status Code
InvalidURI It happens due to a wrong domain (i.e. wrong Host header) format. 400 Bad Request
NoSuchAccessPoint The Account Id specified in host header has a correct format but it doesn't match any existing account. There might be additional reasons such as blocked account, etc. 400 Not Found
InvalidAction Returned in case URL fails to be parsed. 400 Bad Request
InternalError The Account Id specified in host header has a correct format but due to technical reasons the server was not able to handle the request. 500 Internal Server Error
AccountProblem A logical problem in the internal representation of the account is preventing the service to be executed. Technical support is required. 403 Forbidden
IncompleteSignature Missing or unexpected data while (1) building canonical request or (2) parsing credentials. 403 Forbidden
InternalFailure Internal S4 failure 500 Internal Server Error
InvalidAccessKeyId The request cannot complete because the supplied Access Key is not valid. 403 Forbidden
InvalidRequest The request cannot be completed because of an error in the expected request format. Possible causes:

(1) Authorization header does not start with AWS4-HMAC-SHA256
(2) Unexpected service in authorization header data or authentication string
(3) Issue with chunked header or payload
(4) Invalid format for certain x-amz- headers
(5) Expired URL		 400 Bad Request
MissingParameter Missing parameter expected in (1) request URI or (2) headers. 400 Bad Request
MissingSecurityHeader Missing or wrong header involved in authorization. 400 Bad Request
SignatureDoesNotMatch Declared request signature does not match the computed one.

(1) Early detection of signature mismatch (accounting for headers only)
(2) Signature mismatch in presigned URL
(3) Body is signed and some chunk signature mismatches the computed one.
(4) Body is signed and at the end of stream, an error on signature calculation was detected.		 403 Forbidden
AccessDenied The request cannot proceed due to an authorization or policy validation problems (i.e. access not allowed by policies). 403 Forbidden
RequestTimeTooSkewed The difference between the request time and the server's time is too large. 403 Forbidden
ValidationError Input validation failure when processing request such as header parsing for request signature. 400 Bad Request
AuthorizationQueryParametersError Error authentication data when using auth query parameters instead of auth headers, (e.g. the presigned urls). 400 Bad Request
NoSuchBucket Returned if the specified bucket does not exist. 404 Not Found
NoSuchKey Returned if the specified key does not exist. 404 Not Found

During whole service lifetime

Errors that may occur at any moment in any service.

Error Code Description HTTP Status Code
RequestTimeout The client has been unresponsive for too long. 400 Bad Request

2. S3 API

2.1. Conventions

2.1.1. Bucket identification

Most of S3 services receive a <bucket_name> argument identifying the bucket that will be target of the operation. The bucket argument can be received in two different ways:

Path Style

The argument <bucket_name> is specified as part of the URL in the HTTP request, e.g.:

GET /<bucket_name>/ HTTP/1.1.
Host: s3.eu-central-1.s4.mega.io

Virtual-Hosted Style

The argument <bucket_name> is specified as part of the Host in the HTTP request (i.e. as part of the sub-domain), e.g.:

GET / HTTP/1.1.
Host: <bucket_name>.s3.eu-central-1.s4.mega.io

2.1.2. Bucket Name Validation

  • Bucket name must not be .

  • Bucket name must not be ..

  • Bucket names must not contain /

  • Bucket names must be between 3 (min) and 63 (max) characters long

  • Bucket names can consist only of lowercase letters, numbers, dots ., and hyphens -

  • Bucket names must begin and end with a letter or number

  • Bucket names must not contain two adjacent periods

  • Bucket names must not be formatted as an IP address (for example, 192.168.5.4)

  • Bucket names must not start with the prefix xn--

  • Bucket names must not end with the suffix -s3alias

If validation fails the above restrictions, an AccessDenied or InvalidBucketName error is returned (depending on the service being accessed).

2.1.3. Object identification: key

S3 services involving object manipulation or retrieval requires the object to be identified by mean of a string known as <key>. It is specified as part of the URL:

Path Style

GET /<bucket_name>/<key> HTTP/1.1.
Host: s3.eu-central-1.s4.mega.io

Virtual-Hosted Style

GET /<key> HTTP/1.1.
Host: <bucket_name>.s3.eu-central-1.s4.mega.io

2.1.4. Object Key Validation

  • Object key must not be ..

  • Object keys must not begin with ../ or end with /..

  • Object keys must not contain /./ nor /../

  • Object keys must be between 1 (min) and 1024 (max) characters long

  • Object keys must not contain non-printable ASCII characters (128–255 decimal characters)

  • Object keys must not contain \, ^, {, }, %, backtick, [, ], ", <, >, ~, # nor |

If validation fails the above restrictions, an AccessDenied or MethodNotAllowed error is returned (depending on the service being accessed).

2.1.5. Bucket and Object Ownership

Every bucket and every object, despite who created them, is owned by the canonical user (root account).

2.2. Services

S3 endpoint is s3.<region>.s4.mega.io.

2.2.1. Buckets

ListBuckets

Request

Method
GET
URL
/
URL Params Supported
<none>
Specific Headers Supported
<none>
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers
<none>
Body 
<?xml version="1.0" encoding="UTF-8"?>
<ListAllMyBucketsResult>
  <Buckets>
    <Bucket>
      <CreationDate>2022-01-28T11:44:13Z</CreationDate>
      <Name>bucket1</Name>
    </Bucket>
    <Bucket>
      <CreationDate>2022-02-15T18:22:37Z</CreationDate>
      <Name>bucket2</Name>
    </Bucket>
  </Buckets>
  <Owner>
    <ID>57A54E56B89C54B767F01987C0BC77929B5212C0BF165E3CF2B8DF818C46B66C</ID>
    <DisplayName>158563168473704</DisplayName>
  </Owner>
</ListAllMyBucketsResult>

Errors

<No specific error expected>

CreateBucket

Creates the bucket <bucket_name> if it is a valid bucket name and it does not exist yet.

Request

Method
PUT
URL (alternatives) Note

/

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>
URL Params Supported
<none>
Specific Headers Supported

x-amz-acl: ACL

🔴 NO

x-amz-grant-full-control: GrantFullControl

🔴 NO

x-amz-grant-read: GrantRead

🔴 NO

x-amz-grant-read-acp: GrantReadACP

🔴 NO

x-amz-grant-write: GrantWrite

🔴 NO

x-amz-grant-write-acp: GrantWriteACP

🔴 NO

x-amz-bucket-object-lock-enabled: ObjectLockEnabledForBucket

🔴 NO

x-amz-object-ownership: ObjectOwnership

🔴 NO
Body 
<?xml version="1.0" encoding="UTF-8"?>
<CreateBucketConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">       🔴 - NOT supported
    <LocationConstraint>string</LocationConstraint>
</CreateBucketConfiguration>

Success Response

Status Code
200 OK
Specific Headers Supported

Location: Location

🔴 NO
Body
<empty>

Errors

Error Code Description HTTP Status Code

BucketAlreadyOwnedByYou

Returned in case there is a bucket with <bucket_name> found in place when trying to create a new folder or new folder creation succeeds but the node is then replaced by a different one.

409 Conflict

InvalidBucketName

Returned in case <bucket_name> does not satisfy restrictions.

400 Bad Request
InternalError Returned due to internal technical reasons. 500 Internal Server Error

BucketAlreadyExists and S3 Discrepancies

The S3 standard behavior is to only return AlreadyOwnedByYou if the bucket exists but had already been created in a region different from the requested one with the request succeeding otherwise. S4 does not support this behavior as it is considered to be confusing. Moreover, S4 does not have globally shared bucket namespaces like S3 does. In S4, the owner of a bucket corresponds to the owner of an account. Thus, an error indicating a duplicate bucket is always a BucketAlreadyOwnedByYou error. S4 never returns BucketAlreadyExists.

DeleteBucket

Deletes the bucket <bucket_name> if it is a valid bucket name and it is not empty.

Request

Method
DELETE
URL (alternatives) Note

/

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>
URL Params Supported
<none>
Specific Headers Supported

x-amz-expected-bucket-owner: BucketOwner

🔴 NO
Body Supported
<empty>

Success Response

Status Code
204 No Content
Specific Headers
<none>
Body
<empty>

Errors

Error Code Description HTTP Status Code

InvalidBucketName

Returned in case <bucket_name> does not satisfy restrictions.

400 Bad Request
InternalError

Returned due to internal technical reason.

500 Internal Server Error

BucketNotEmpty

Returned if called on a non-empty bucket.

409 Conflict

HeadBucket

Determines if the bucket <bucket_name> exists and you have access to it.

Request

Method
HEAD
URL (alternatives) Note

/

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>
URL Params Supported
<none>
Specific Headers Supported

x-amz-expected-bucket-owner: BucketOwner

🔴 NO
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers
<none>
Body
<empty>

Errors

Error Code Description HTTP Status Code

InvalidBucketName

Returned in case <bucket_name> does not satisfy restrictions.

400 Bad Request

2.2.2. Objects

ListObjects

List objects in <bucket_name> .

Request

Method
GET
URL (alternatives) Note

/

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>
URL Params Supported
delimiter 🟢 YES
encoding-type 🔴 NO
marker 🟢 YES
max-keys 🟢 YES
prefix 🟢 YES
Specific Headers Supported

x-amz-request-payer: RequestPayer

🔴 NO

x-amz-expected-bucket-owner: ExpectedBucketOwner

🔴 NO
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers Supported

Location: Location

🔴 NO
Body 
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult>
   <IsTruncated>boolean</IsTruncated>
   <Marker>string</Marker>
   <NextMarker>string</NextMarker>
   <Contents>
      <ChecksumAlgorithm>string</ChecksumAlgorithm>     🔴 - NOT supported
      ...
      <ETag>string</ETag>
      <Key>string</Key>
      <LastModified>timestamp</LastModified>
      <Owner>
         <DisplayName>string</DisplayName>
         <ID>string</ID>
      </Owner>
      <Size>integer</Size>
      <StorageClass>string</StorageClass>   🟠 – Always set to "STANDARD"
   </Contents>
   ...
   <Name>string</Name>
   <Prefix>string</Prefix>
   <Delimiter>string</Delimiter>
   <MaxKeys>integer</MaxKeys>
   <CommonPrefixes>
      <Prefix>string</Prefix>
   </CommonPrefixes>
   ...
   <EncodingType>string</EncodingType>      🔴 - NOT supported
</ListBucketResult>

Errors

Error Code Description HTTP Status Code

InvalidArgument

Returned in case <max-keys> argument has a wrong format.

 400 Bad Request

InternalError

Returned due to technical reasons.

500 Internal Server Error

ListObjectsV2

List objects in <bucket_name> .

Request

Method
GET
URL (alternatives) Note

/?list-type=2

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/?list-type=2
URL Params Supported
continuation-token 🟢 YES
delimiter 🟢 YES
encoding-type 🔴 NO
fetch-owner 🟢 YES
max-keys 🟢 YES
prefix 🟢 YES
start-after 🟢 YES
Specific Headers Supported

x-amz-request-payer: RequestPayer

🔴 NO

x-amz-expected-bucket-owner: ExpectedBucketOwner

🔴 NO
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers
<none>
Body 
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult>
   <IsTruncated>boolean</IsTruncated>
   <ContinuationToken>string</ContinuationToken>
   <NextContinuationToken>string</NextContinuationToken>
   <Contents>
      <ChecksumAlgorithm>string</ChecksumAlgorithm>     🔴 - NOT supported
      ...
      <ETag>string</ETag>
      <Key>string</Key>
      <LastModified>timestamp</LastModified>
      <Owner>           🟠 – Returned only if fetch-owner=true in URL
         <DisplayName>string</DisplayName>
         <ID>string</ID>
      </Owner>
      <Size>integer</Size>
      <StorageClass>string</StorageClass>       🟠 – Always set to "STANDARD"
   </Contents>
   ...
   <Name>string</Name>
   <Prefix>string</Prefix>
   <Delimiter>string</Delimiter>
   <MaxKeys>integer</MaxKeys>
   <CommonPrefixes>
      <Prefix>string</Prefix>
   </CommonPrefixes>
   ...
   <EncodingType>string</EncodingType>      🔴 - NOT supported

   <KeyCount>integer</KeyCount>
</ListBucketResult>

Errors

Error Code Description HTTP Status Code

InvalidArgument

Returned in case:

  1. <max-keys> argument has a wrong format.
  2. <continuation-token> cannot be decoded or points out of bounds

400 Bad Request

InternalError

Returned due to technical reasons.

500 Internal Server Error

PutObject

Creates a new object with the provided contents

Request

Method
PUT
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported
<none>
Specific Headers Supported

Cache-Control

🔴 NO

Content-Disposition

🔴 NO

Content-Encoding

🔴 NO

Content-Language

🔴 NO

Content-MD5

🟢 YES

Content-Type

🔴 NO

Expires

🔴 NO

x-amz-acl: ACL

🔴 NO

x-amz-checksum-crc32

🔴 NO

x-amz-checksum-crc32c

🔴 NO

x-amz-checksum-sha1

🔴 NO

x-amz-checksum-sha256

🔴 NO

x-amz-expected-bucket-owner

🔴 NO

x-amz-grant-full-control: GrantFullControl

🔴 NO

x-amz-grant-read: GrantRead

🔴 NO

x-amz-grant-read-acp: GrantReadACP

🔴 NO

x-amz-grant-write: GrantWrite

🔴 NO

x-amz-grant-write-acp: GrantWriteACP

🔴 NO

x-amz-object-lock-legal-hold

🔴 NO

x-amz-object-lock-mode

🔴 NO

x-amz-object-lock-retain-until-date

🔴 NO

x-amz-request-payer

🔴 NO

x-amz-sdk-checksum-algorithm

🔴 NO

x-amz-server-side-encryption

🔴 NO

x-amz-server-side-encryption-aws-kms-key-id

🔴 NO

x-amz-server-side-encryption-bucket-key-enabled

🔴 NO

x-amz-server-side-encryption-context

🔴 NO

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key

🔴 NO

x-amz-server-side-encryption-customer-key-MD5

🔴 NO

x-amz-storage-class

🔴 NO (Assuming STANDARD)

x-amz-tagging

🔴 NO

x-amz-website-redirect-location

🔴 NO
Body Supported

Object data.

May be Chunked Payload

Success Response

Status Code
200 OK
Specific Headers Supported

ETag

🟢 YES

x-amz-checksum-crc32

🔴 NO

x-amz-checksum-crc32c

🔴 NO

x-amz-checksum-sha1

🔴 NO

x-amz-checksum-sha256

🔴 NO

x-amz-expiration

🔴 NO

x-amz-request-charged

🔴 NO

x-amz-server-side-encryption

🔴 NO

x-amz-server-side-encryption-aws-kms-key-id

🔴 NO

x-amz-decoded-content-length

🔴 NO

x-amz-server-side-encryption-bucket-key-enabled

🔴 NO

x-amz-server-side-encryption-context

🔴 NO

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key-MD5

🔴 NO

x-amz-version-id

🔴 NO
Body
<empty>

Errors

Error Code Description HTTP Status Code

InvalidArgument

Returned in cases where there are invalid/missing arguments in the request. Particularly:

  1. If using chunked payload, and x-amz-decoded-content-length is missing.
  2. If using chunked payload, and x-amz-decoded-content-length is not valid.

This may happen in case of chunked payload when the provided header does not have a valid value.

400 Bad Request

BadDigest

Returned if the Content-MD5 does not match the MD5 computed while uploading.

400 Bad Request

MethodNotAllowed

Returned in case the new object name does not validate constraints (see below)

405 Method Not Allowed

InvalidRequest

Key of an object containing payload is not allowed to end with '/' in S4.

400 Bad Request

InternalError

Returned in case the upload failed to complete

500 Internal Server Error

CopyObject

Request

Method
PUT
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported
<none>
Specific Headers Supported

Cache-Control

🔴 NO

Content-Disposition

🔴 NO

Content-Encoding

🔴 NO

Content-Language

🔴 NO

Expires

🔴 NO

x-amz-checksum-algorithm

🔴 NO

x-amz-acl: ACL

🔴 NO

x-amz-copy-source

🟢 YES

x-amz-copy-source

🔴 NO

x-amz-copy-source-if-match

🔴 NO

x-amz-copy-source-if-modified-since

🔴 NO

x-amz-copy-source-if-none-match

🔴 NO

x-amz-copy-source-if-unmodified-since

🔴 NO

x-amz-storage-class

🟢 YES (Only STANDARD is allowed)

x-amz-expected-bucket-owner

🔴 NO

x-amz-source-expected-bucket-owner

🔴 NO

x-amz-grant-full-control: GrantFullControl

🔴 NO

x-amz-grant-read: GrantRead

🔴 NO

x-amz-grant-read-acp: GrantReadACP

🔴 NO

x-amz-grant-write: GrantWrite

🔴 NO

x-amz-grant-write-acp: GrantWriteACP

🔴 NO

x-amz-metadata-directive

🔴 NO

x-amz-tagging-directive

🔴 NO

x-amz-server-side-encryption

🔴 NO

x-amz-server-side-encryption-aws-kms-key-id

🔴 NO

x-amz-server-side-encryption-bucket-key-enabled

🔴 NO

x-amz-server-side-encryption-context

🔴 NO

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key

🔴 NO

x-amz-server-side-encryption-customer-key-MD5

🔴 NO

x-amz-copy-source-server-side-encryption-customer-algorithm

🔴 NO

x-amz-copy-source-server-side-encryption-customer-key

🔴 NO

x-amz-copy-source-server-side-encryption-customer-key-MD5

🔴 NO

x-amz-tagging

🔴 NO

x-amz-website-redirect-location

🔴 NO

x-amz-object-lock-legal-hold

🔴 NO

x-amz-object-lock-mode

🔴 NO

x-amz-object-lock-retain-until-date

🔴 NO

x-amz-request-payer

🔴 NO
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers Supported

x-amz-expiration

🔴 NO

x-amz-copy-source-version-id

🔴 NO

x-amz-version-id

🔴 NO

x-amz-server-side-encryption

🔴 NO

x-amz-server-side-encryption-aws-kms-key-id

🔴 NO

x-amz-server-side-encryption-bucket-key-enabled

🔴 NO

x-amz-server-side-encryption-context

🔴 NO

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key

🔴 NO

x-amz-request-charged

🔴 NO
Body
<empty>

Errors

Error Code Description HTTP Status Code
InvalidArgument Returned if x-amz-copy-source-path is empty or does not denote both bucket and resource. 400 Bad Request
NoSuchBucket Returned if the source bucket does not exist. 404 Not Found
NoSuchKey Returned if the source key does not exist. 404 Not Found
InvalidStorageClass Returned if a storage class other than STANDARD is used in the request. 400 Bad Request
AccessDenied In addition to usual policy validation errors, this is returned if policy validation fails on the copy source. 403 Forbidden
Internal Error Returned in the event of internal API error. 500 Internal Server Error

GetObject

Request

Method
GET
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported

response-cache-control

🟢 YES

response-content-disposition

🔴 NO

response-content-encoding

🟢 YES

response-content-language

🟢 YES

response-content-type

🟢 YES

response-expires

🔴 NO

versionId

🔴 NO
Specific Headers Supported

x-amz-request-payer: RequestPayer

🔴 NO

x-amz-expected-bucket-owner: ExpectedBucketOwner

🔴 NO

x-amz-checksum-mode: ChecksumMode

🔴 NO

x-amz-server-side-encryption-customer-algorithm: SSECustomerAlgorithm

🔴 NO

x-amz-server-side-encryption-customer-key: SSECustomerKey

🔴 NO

x-amz-server-side-encryption-customer-key-MD5: SSECustomerKeyMD5

🔴 NO

If-Match: IfMatch

🟢 YES

If-Modified-Since: IfModifiedSince

🟢 YES

If-None-Match: IfNoneMatch

🟢 YES

Range: Range

🟢 YES
Body Supported
<empty>

Success Response

Status Code
206 Partial Content
Specific Headers Supported

Cache-Control

🟠 Partial, only if set by URI parameter

Content-Disposition

🔴 NO

Content-Encoding

🟠 Partial, only if set by URI parameter

Content-Language

🟠 Partial, only if set by URI parameter

Content-Range

🟢 YES

Content-Type

🟠 Partial, only if set by URI parameter

ETag

🟢 YES

Expires

🔴 NO

Last-Modified

🟢 YES
Body
<empty>

Errors

Error Code Description HTTP Status Code
NoSuchKey Returned if the key does not name an object in the bucket or the key is not a file. 404 Not Found
InvalidRange Returned if the request has a range header which is not satisfiable for the entity being downloaded. This means a byte range spec (e.g., bytes=50-100) where the starting byte offset is greater than the entity size, or a suffix byte range spec (e.g., bytes=-0) where the suffix byte is zero. 416 Requested Range Not Satisfiable

HeadObject

Request

Method
HEAD
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported
partNumber 🔴 NO
versionId 🔴 NO
Specific Headers Supported

x-amz-request-payer: RequestPayer

🔴 NO

x-amz-expected-bucket-owner: ExpectedBucketOwner

🔴 NO

x-amz-checksum-mode: ChecksumMode

🔴 NO

x-amz-server-side-encryption-customer-algorithm: SSECustomerAlgorithm

🔴 NO

x-amz-server-side-encryption-customer-key: SSECustomerKey

🔴 NO

x-amz-server-side-encryption-customer-key-MD5: SSECustomerKeyMD5

🔴 NO

If-Match: IfMatch

🟢 YES

If-Modified-Since: IfModifiedSince

🟢 YES

If-None-Match: IfNoneMatch

🟢 YES

Range: Range

🟢 YES
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers Supported

Cache-Control

🔴 NO

Content-Disposition

🔴 NO

Content-Encoding

🔴 NO

Content-Language

🔴 NO

Content-Length

🟢 YES

Content-Type

🟢 YES

ETag

🟢 YES

Expires

🔴 NO

Last-Modified

🟢 YES

x-amz-storage-class

🟢 YES
Body
<empty>

Errors

Error Code Description HTTP Status Code
NoSuchKey Returned if the key does not name an object in the bucket or the key is not a file. 404 Not Found
InvalidRange Returned if the request has a range header which is not satisfiable for the entity being downloaded. This means a byte range spec (e.g., bytes=50-100) where the starting byte offset is greater than the entity size, or a suffix byte range spec (e.g., bytes=-0) where the suffix byte is zero. 416 Requested Range Not Satisfiable

DeleteObject

Request

Method
DELETE
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported

versionId

🔴 NO
Specific Headers Supported

x-amz-request-payer: RequestPayer

🔴 NO

x-amz-expected-bucket-owner: ExpectedBucketOwner

🔴 NO

x-amz-bypass-governance-retention: boolean

🔴 NO

x-amz-mfa: string

🔴 NO
Body Supported
<empty>

Success Response

Status Code
204 NoContent
Specific Headers Supported

x-amz-delete-marker

🔴 NO

x-amz-request-charged

🔴 NO

x-amz-version-id

🔴 NO
Body
<empty>

Errors

Note that if the object with the given key does not exist, DeleteObject still returns 204 NoContent.

Error Code Description HTTP Status Code
NoSuchBucket Returned if the bucket which the object is attempted to be deleted from does not exist. 404 Not Found

CreateMultipartUpload

Request

Method
POST
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported

uploads

🟢 YES
Specific Headers Supported

x-amz-acl

🔴 NO

Cache-Control

🔴 NO

Content-Disposition

🔴 NO

Content-Encoding

🔴 NO

Content-Language

🔴 NO

Content-Type

🔴 NO

Expires

🔴 NO

x-amz-grant-full-control

🔴 NO

x-amz-grant-read

🔴 NO

x-amz-grant-read-acp

🔴 NO

x-amz-grant-write-acp

🔴 NO

x-amz-server-side-encryption

🔴 NO

x-amz-website-redirect-location

🔴 NO

x-amz-storage-class

🔴 NO (Assuming STANDARD)

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key

🔴 NO

x-amz-server-side-encryption-customer-key-MD5

🔴 NO

x-amz-server-side-encryption-aws-kms-key-id

🔴 NO

x-amz-server-side-encryption-context

🔴 NO

x-amz-server-side-encryption-bucket-key-enabled

🔴 NO

x-amz-request-payer

🔴 NO

x-amz-tagging

🔴 NO

x-amz-object-lock-mode

🔴 NO

x-amz-object-lock-retain-until-date

🔴 NO

x-amz-object-lock-legal-hold

🔴 NO

x-amz-expected-bucket-owner

🔴 NO

x-amz-checksum-algorithm

🔴 NO
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers Supported

x-amz-abort-date

🔴 NO

x-amz-abort-rule-id

🔴 NO

x-amz-server-side-encryption

🔴 NO

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key-MD5

🔴 NO

x-amz-server-side-encryption-aws-kms-key-id

🔴 NO

x-amz-server-side-encryption-context

🔴 NO

x-amz-server-side-encryption-bucket-key-enabled

🔴 NO

x-amz-request-charged

🔴 NO

x-amz-checksum-algorithm

🔴 NO
Body 
<?xml version="1.0" encoding="UTF-8"?>
<InitiateMultipartUploadResult>
    <Bucket>string</Bucket>
    <Key>string</Key>
    <UploadId>string</UploadId>
</InitiateMultipartUploadResult>

Errors

Error Code Description HTTP Status Code
ServiceUnavailable Returned in case server is too crowded. 503 Service Unavailable
AccountProblem Returned if user has exceed quota. 403 Forbidden
InternalError Returned in case the request failed to complete. 500 Internal Server Error

UploadPart

Request

Method
PUT
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported

uploadId

🟢 YES

partNumber

🟢 YES
Specific Headers Supported

Content-Length

🟢 YES

Content-MD5

🟢 YES

x-amz-sdk-checksum-algorithm

🔴 NO

x-amz-checksum-crc32

🔴 NO

x-amz-checksum-crc32c

🔴 NO

x-amz-checksum-sha1

🔴 NO

x-amz-checksum-sha256

🔴 NO

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key

🔴 NO

x-amz-server-side-encryption-customer-key-MD5

🔴 NO

x-amz-request-payer

🔴 NO

x-amz-expected-bucket-owner

🔴 NO
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers Supported

ETag

🟢 YES

x-amz-server-side-encryption

🔴 NO

x-amz-checksum-crc32

🔴 NO

x-amz-checksum-crc32c

🔴 NO

x-amz-checksum-sha1

🔴 NO

x-amz-checksum-sha256

🔴 NO

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key-MD5

🔴 NO

x-amz-server-side-encryption-aws-kms-key-id

🔴 NO

x-amz-server-side-encryption-bucket-key-enabled

🔴 NO

x-amz-request-charged

🔴 NO
Body
<empty>

Errors

Error Code Description HTTP Status Code

BadDigest

Returned if the Content-MD5 does not match the MD5 computed while uploading.

400 Bad Request

InvalidDigest

Returned in case header Content-MD5 is not in a valid MD5 base64 format.

400 Bad Request

ServiceUnavailable

Returned in case server is too crowded.

503 Service Unavailable

InvalidPart

Note: although under the S3 standard, InvalidPart is not an expected error for UploadPart operation, S4 applies several checks according to its own part restrictions:

  1. The uploaded part have inconsistent size with the rest of uploaded parts. For an N-parts upload, S4 requires parts in the range 1 to N-1 to have the same size, the part N can have a different size but must not be larger than previous parts. This error will cause the entire upload to be aborted.
    Note: the S3 standard does not impose this requirement.
  2. The part is empty.
    Note: the S3 standard does not impose this requirement.
  3. This part has already been uploaded. S4 does not allow re-uploading parts.
    Note: the S3 standard does not impose this requirement.
 400 Bad Request

EntityTooSmall

Returned in case the size of this (or any previously uploaded) part is smaller than 5MB, unless this is the last part, in which case, the smaller than 5MB size is allowed. Please note that:

  1. This error is S4 deviaton from the S3 standard. Under the S3 standard, the UploadPart request is not expected to return the EntityTooSmall error but only upon the multipart upload completion.
  2. This error will cause the entire upload to be aborted.

400 Bad Request

NoSuchUpload

Returned if:

  • The requested upload ID does not exist or the object key does not belong to the upload with the given ID or
  • The upload has been aborted or completed

404 Not Found

InternalError

Returned in case the request failed to complete, e.g. storage timeout, etc.

500 Internal Server Error

CompleteMultipartUpload

Request

Method
POST
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported

uploadId

🟢 YES
Specific Headers Supported

x-amz-checksum-crc32

🔴 NO

x-amz-checksum-crc32c

🔴 NO

x-amz-checksum-sha1

🔴 NO

x-amz-checksum-sha256

🔴 NO

x-amz-request-payer

🔴 NO

x-amz-expected-bucket-owner

🔴 NO

x-amz-server-side-encryption-customer-algorithm

🔴 NO

x-amz-server-side-encryption-customer-key

🔴 NO

x-amz-server-side-encryption-customer-key-MD5

🔴 NO
Body 
<?xml version="1.0" encoding="UTF-8"?>
<CompleteMultipartUpload xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Part>
      <PartNumber>integer</PartNumber>
      <ETag>string</ETag>
   </Part>
   ...
</CompleteMultipartUpload>

Success Response

Status Code
200 OK
Specific Headers Supported

x-amz-expiration

🔴 NO

x-amz-server-side-encryption

🔴 NO

x-amz-version-id

🔴 NO

x-amz-server-side-encryption-aws-kms-key-id

🔴 NO

x-amz-server-side-encryption-bucket-key-enabled

🔴 NO

x-amz-request-charged

🔴 NO
Body 
<CompleteMultipartUploadResult>
   <Location>string</Location>
   <Bucket>string</Bucket>
   <Key>string</Key>
   <ETag>string</ETag>
</CompleteMultipartUploadResult>

Errors

Error Code Description HTTP Status Code
MalformedXML Returned in case the request body is not a valid xml message, or does not specify a valid ETag or PartNumber. 400 Bad Request
InvalidRequest Returned in case the request body does not specify any valid part info. 400 Bad Request
InvalidPartOrder Returned if in the request body, the part list was not in ascending order. The part list must be ordered by part number. 400 Bad Request

NoSuchUpload

Returned if one of the following conditions is true:

  • The requested upload ID does not exist or the object key does not belong to the upload with the given ID
  • The upload has been aborted.
  • The upload has been completed. (It is a deviation from the S3 standard. S3 allows to complete a mulipart upload unlimited times as long as the part composition is unchanged.)
  • There is another completion request with the same upload Id running underway. (It is a deviation just like explained above)

404 Not Found

InvalidPart

Returned for one of the following reasons:

  1. The part list in the completion request does not include all the uploaded parts.
    Note: the S3 standard does not impose this requirement.
  2. One or more specified parts in the completion request haven't been uploaded.
  3. One or more specified parts in the completion request do not match ETag.

400 Bad Request

InternalError

Returned in case the request failed to complete, e.g. failed to retrieve the uploaded object, etc.

500 Internal Server Error

AbortMultipartUpload

Request

Method
DELETE
URL (alternatives) Note

/<Key>

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/<Key>
URL Params Supported

uploadId

🟢 YES
Specific Headers Supported

x-amz-request-payer

🔴 NO

x-amz-expected-bucket-owner

🔴 NO
Body Supported
<empty>

Success Response

Status Code
204 No Content
Specific Headers Supported

x-amz-request-charged

🔴 NO
Body
<empty>

Errors

Error Code Description HTTP Status Code

NoSuchUpload

Returned for one of the following reasons:

  • The requested upload ID does not exist or the object key does not belong to the upload with the given ID
  • The upload has completed or has already been aborted (Note, the S3 standard always returns 204 in this case)

404 Not Found

2.2.3. Policies (on Buckets)

PutBucketPolicy

Request

Method
PUT
URL (alternatives) Note

/?policy

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/?policy
URL Params Supported
<none>
Specific Headers Supported

Content-MD5: ContentMD5 (mandatory)

🟢 YES

x-amz-expected-bucket-owner: ExpectedBucketOwner (optional)

🔴 NO

x-amz-sdk-checksum-algorithm: ChecksumAlgorithm (optional)

🔴 NO

x-amz-confirm-remove-self-bucket-access: ConfirmRemoveSelfBucketAccess (optional)

🔴 NO
Body Supported
{ Policy in JSON format } 🟢 YES

Success Response

Status Code
200 OK
Specific Headers Supported
<none>
Body
<empty>

Errors

Error Code Description HTTP Status Code

MalformedPolicy

Returned in case the given policy contains invalid JSON or invalid principal.

400 Bad Request

InvalidDigest

Returned in case header Content-MD5 is missing.

400 Bad Request

BadDigest

Returned in case Content-MD5 header value does not match computed MD5.

400 Bad Request

InternalError

Returned due to technical reasons.

500 Internal Server Error

GetBucketPolicy

Request

Method
GET
URL (alternatives) Note

/?policy

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/?policy
URL Params Supported
<none>
Specific Headers Supported

x-amz-expected-bucket-owner: ExpectedBucketOwner (optional)

🔴 NO
Body Supported
<empty>

Success Response

Status Code
200 OK
Specific Headers Supported
<none>
Body
{ Policy in JSON format }

Errors

Error Code Description HTTP Status Code

NoSuchBucketPolicy

Returned in case <bucket_name> does not have an inline policy document.

404 Not Found

MalformedPolicy

Mandatory JSON property is missing.

400 Bad Request

DeleteBucketPolicy

Request

Method
DELETE
URL (alternatives) Note

/?policy

Host header must start with <bucket_name>, e.g. test-bucket.s3.eu-central-1.s4.mega.io

/<bucket_name>/?policy
URL Params Supported
<none>
Specific Headers Supported

x-amz-expected-bucket-owner: ExpectedBucketOwner (optional)

🔴 NO
Body Supported
<empty>

Success Response

Status Code
204 No Content
Specific Headers Supported
<none>
Body
<empty>

Errors

Error Code Description HTTP Status Code

NoSuchBucketPolicy

Returned in case <bucket_name> does not have an inline policy document.

404 Not Found

InternalError

Returned due to technical reasons.

500 Internal Server Error

2.3. Presigned URL

Authentication

Instead of using Authorization Header in service request, presigned url put authentication data in Query Parameters.

Signature Version

Only version 4 is supported by S4. While the S3 standard supports both V1 and V4.

Specific Errors

Error Code (see: 1.3.2) Description HTTP Status Code
- AuthorizationQueryParametersError 1) Unsupported signature algorithm
2) Invalid expiration (e.g. negative, non-integer, or exceed max limit (a default limit is 7 days))		 400 Bad Request
- AccessDenied The request has expired 403 Forbidden
- SignatureDoesNotMatch 403 Forbidden

2.4. Presigned Post

Presigned Post can only be used for uploading files.

Currently, it is NOT supported by S4.

3. IAM Api

3.1. Conventions

IAM services have the end-point iam.<region>.s4.mega.io, and all of them have a common URL resource: /. IAM services have an Action parameter that contains the name of the service. Both the Action parameter as well as the rest of the service arguments can be received in two different ways:

Parameters in Query String

Method
GET
URL
/
URL Params

Action: ActionName

...
Body
<empty>
Example

GET /?Action=ListPolicies&Version=2010-05-08&AUTHPARAMS HTTP/1.1
Host: iam.eu-central-1.s4.mega.io

Parameters in Body

Method
POST
URL
/
URL Params

Action: ActionName

...
Body

URL encoded query string
Example

GET / HTTP/1.1
Host: iam.eu-central-1.s4.mega.io

Action=ListPolicies&Version=2010-05-08&AUTHPARAMS

3.2 S4 Managed Policies

S4 provides the following managed policies:

Name Document

AdministratorAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
  }
}

S3ListAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:List*",
    "Resource": "*"
  }
}

S3ReadAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:List*",
      "s3:Get*"
    ],
    "Resource": "*"
  }
}

S3WriteAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:Put*",
      "s3:Create*"
    ],
    "Resource": "*"
  }
}

S3DeleteAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:Delete*",
    "Resource": "*"
  }
}

S3FullAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "*"
  }
}

S3BucketListAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListAllMyBuckets",
    "Resource": "*"
  }
}

S3BucketReadAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:ListAllMyBuckets",
      "s3:GetBucket*"
    ],
    "Resource": "*"
  }
}

S3BucketWriteAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:CreateBucket",
      "s3:PutBucket*"
    ],
    "Resource": "*"
  }
}

S3BucketDeleteAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:DeleteBucket*",
    "Resource": "*"
  }
}

S3BucketFullAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:ListAllMyBuckets",
      "s3:GetBucket*",
      "s3:CreateBucket",
      "s3:PutBucket*",
      "s3:DeleteBucket*"
    ],
    "Resource": "*"
  }
}

S3ObjectListAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket*",
    "Resource": "*"
  }
}

S3ObjectReadAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:GetObject*",
      "s3:ListMultipartUploadParts",
      "s3:ListBucket*"
    ],
    "Resource": "*"
  }
}

S3ObjectWriteAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:PutObject*",
    "Resource": "*"
  }
}

S3ObjectDeleteAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:DeleteObject*",
      "s3:AbortMultipartUpload"
    ],
    "Resource": "*"
  }
}

S3ObjectFullAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:ListBucket*",
      "s3:GetObject*",
      "s3:ListMultipartUploadParts",
      "s3:PutObject*",
      "s3:DeleteObject*",
      "s3:AbortMultipartUpload"
    ],
    "Resource": "*"
  }
}

IAMListAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "iam:List*",
    "Resource": "*"
  }
}

IAMReadAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:Get*",
      "iam:List*"
    ],
    "Resource": "*"
  }
}

IAMAttachDetachAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:Attach*",
      "iam:Detach*"
    ],
    "Resource": "*"
  }
}

IAMFullAccess

 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "iam:*",
    "Resource": "*"
  }
}

3.3. Services

3.3.1. Policies

GetPolicy

ActionName: GetPolicy

Request

Params Supported
PolicyArn (mandatory) 🟢 YES

Success Response

Status Code
200 OK
Specific Headers Supported
<none>
Body 
<?xml version="1.0" encoding="UTF-8"?>

<GetPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <GetPolicyResult>
    <Policy>
      <Arn>arn:aws:iam::aws:policy/AdministratorAccess</Arn>
      <AttachmentCount>0</AttachmentCount>
      <CreateDate>2022-07-29T20:05:50.000Z</CreateDate>
      <UpdateDate>2022-07-29T20:05:50.000Z</UpdateDate>
      <PolicyId>ADMINISTRATORACCESS</PolicyId>
      <PolicyName>AdministratorAccess</PolicyName>
      <DefaultVersionId>v1</DefaultVersionId>
      <Path>/</Path>
      <IsAttachable>true</IsAttachable>
      <Description></Description>
    </Policy>
  </GetPolicyResult>
  <ResponseMetadata>
    <RequestId>0000000000000003</RequestId>
  </ResponseMetadata>
</GetPolicyResponse>

Errors

Error Code Description HTTP Status Code
ValidationError Returned in case of either the parameter PolicyArn missing from the request or its length being less than 20 or greater than 2048 characters. 400 Bad Request
InvalidInput Returned in case the ARN value is not valid. 400 Bad Request
NoSuchEntity Returned in case the policy referenced by the given ARN is not found. 404 Not Found

GetPolicyVersion

ActionName: GetPolicyVersion

Request

Params Supported
PolicyArn (mandatory) 🟢 YES
VersionId (mandatory) 🟢 YES

Success Response

Status Code
200 OK
Specific Headers Supported
<none>
Body 
<?xml version="1.0" encoding="UTF-8"?>
<GetPolicyVersionResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">

  <GetPolicyVersionResult>
    <PolicyVersion>
      <Document>
        %7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%22%2A%22%2C%22Resource%22%3A%22%2A%22%7D%7D
      </Document>
      <IsDefaultVersion>true</IsDefaultVersion>
      <VersionId>v1</VersionId>
      <CreateDate>2022-07-29T20:05:50.000Z</CreateDate>
    </PolicyVersion>
  </GetPolicyVersionResult>
  <ResponseMetadata>
    <RequestId>0000000000000017</RequestId>
  </ResponseMetadata>
</GetPolicyVersionResponse>

Errors

Error Code Description HTTP Status Code

ValidationError

Returned in case:

  1. The parameter PolicyArn is missing from the request or its length is less than 20 or greater than 2048 characters.
  2. The parameter VersionId is missing or does not match the following regex: v[1-9][0-9]{0,9}(\\.[A-Za-z0-9-]{1,64})?

400 Bad Request
InvalidInput Returned in case the ARN value is not valid. 400 Bad Request
NoSuchEntity Returned if the policy version identified by the given ARN and versionId is not found. 404 Not Found

ListPolicies

ActionName: ListPolicies

Request

Params Supported
Marker (optional) 🟢 YES
MaxItems (optional) 🟢 YES
OnlyAttached (optional) 🔴 NO
PathPrefix (optional) 🔴 NO
PolicyUsageFilter (optional) 🔴 NO
Scope (optional) 🔴 NO

Success Response

Status Code
200 OK
Specific Headers Supported
<none>
Body 
<?xml version="1.0" encoding="UTF-8"?>
<ListPoliciesResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <ListPoliciesResult>
    <IsTruncated>false</IsTruncated>
    <Policies>
      <member>
        <Arn>arn:aws:iam::aws:policy/FullAccess</Arn>
        <AttachmentCount>0</AttachmentCount>
        <CreateDate>2017-05-15T02:57:50.000Z</CreateDate>
        <UpdateDate>2017-05-15T02:57:50.000Z</UpdateDate>
        <PolicyId>FULLACCESS</PolicyId>
        <PolicyName>FullAccess</PolicyName>
        <DefaultVersionId>v1</DefaultVersionId>
        <Path>/</Path>
        <IsAttachable>true</IsAttachable>
      </member>
       ...
    </Policies>
  </ListPoliciesResult>
  <ResponseMetadata>
    <RequestId>0000000000000001</RequestId>
  </ResponseMetadata>
</ListPoliciesResponse>

Errors

Error Code Description HTTP Status Code
MalformedInput Returned in case Marker or MaxItems is specified but it is not an integer value or out of the integer value range. 400 Bad Request

ValidationError

Returned in case:

  1. Marker is specified but is less than zero or greater than the number of available managed policies.
  2. MaxItems is specified but it is less than 1 or greater than the max number for MaxItems specified in the configuration.

400 Bad Request

ListAttachedUserPolicies | ListAttachedGroupPolicies

ActionName: ListAttachedUserPolicies or ListAttachedGroupPolicies

Request

Params Supported
UserName | GroupName (mandatory) 🟢 YES
Marker (optional) 🟢 YES
MaxItems (optional) 🟢 YES
PathPrefix (optional) 🔴 NO

Success Response

Status Code
200 OK
Specific Headers Supported
<none>
Body 
<ListAttachedUserPoliciesResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/"> -- or ListAttachedGroupPoliciesResponse
  <ListAttachedGroupPoliciesResult> -- or ListAttachedGroupPoliciesResponse
    <AttachedPolicies>
      <member>
        <PolicyName>FullAccess</PolicyName>
        <PolicyArn>arn:aws:iam::aws:policy/FullAccess</PolicyArn>
      </member>
    </AttachedPolicies>
    <IsTruncated>false</IsTruncated>
  </ListAttachedGroupPoliciesResult>
  <ResponseMetadata>
    <RequestId>0000000000000001</RequestId>
  </ResponseMetadata>
</ListAttachedGroupPoliciesResponse>

Errors

Error Code Description HTTP Status Code
MalformedInput Returned in case Marker or MaxItems is specified but it is not an integer value or out of the integer value range. 400 Bad Request

ValidationError

Returned in case:

  1. Marker is specified but is less than zero or greater than the number of available managed policies.
  2. MaxItems is specified but it is less than 1 or greater than the max number for MaxItems specified in the configuration.

400 Bad Request

NoSuchEntity

Returned if <UserName>/<GroupName> does not exist in the current account.

400 Bad Request

AccountProblem

Returned due to technical reasons related to the internal representation of the account information.

403 Forbidden

AttachUserPolicy | AttachGroupPolicy

ActionName: AttachUserPolicy or AttachGroupPolicy

Request

Params Supported
UserName | GroupName (mandatory) 🟢 YES
PolicyArn (mandatory) 🟢 YES

Success Response

Status Code
200 OK
Specific Headers Supported
<none>
Body 
<AttachUserPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/"> – or AttachGroupPolicyResponse
  <ResponseMetadata>
    <RequestId>0000000000000001</RequestId>
  </ResponseMetadata>
</AttachUserPolicyResponse>

Errors

Error Code Description HTTP Status Code
InvalidArgument

Returned in case <PolicyArn> does not exist.

400 Bad Request

InternalError

Returned due to technical reasons.

500 Internal Server Error

DetachUserPolicy | DetachGroupPolicy

ActionName: DetachUserPolicy or DetachGroupPolicy

Request

Params Supported
UserName | GroupName (mandatory) 🟢 YES
PolicyArn (mandatory) 🟢 YES

Success Response

Status Code
200 OK
Specific Headers Supported
<none>
Body 
<DetachUserPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/"> – or DetachGroupPolicyResponse
  <ResponseMetadata>
    <RequestId>0000000000000001</RequestId>
  </ResponseMetadata>
</detachUserPolicyResponse>

Errors

Error Code Description HTTP Status Code

InvalidArgument

Returned in case <PolicyArn> does not exist.

400 Bad Request

InternalError

Returned due to technical reasons.

500 Internal Server Error