Page URL
https://docs.netapp.com/us-en/ontap/s3-config/generate-access-keys-api.html
Page title
Enable LDAP or domain users to generate their own ONTAP S3 access keys
Summary
If you follow the documentation you will not have a working environment
When you authenticate to run the REST API you must use the format domain\user.
If you then, in the data of your call, specified the user as user@fqdn ONTAP will complain that logged in user does not match the user you want to create the key for.
From my lab:
`% curl -ku 'ad.xxxxxx.local\s3admin:XXXXXXX' --request POST
--location "https://10.XXX.17.56/api/protocols/s3/services/cbd452c5-219d-11f0-843a-00a098f0cd03/users"
--include
--header "Accept: /"
--data '{"name":"s3admin@ad.xxxxxx.local"}'
HTTP/1.1 403 Forbidden
Date: Thu, 29 Jan 2026 22:00:30 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors: 'self'
Content-Length: 157
Content-Type: application/hal+json
Vary: Origin
{
"error": {
"message": "The user does not have permission to access the requested resource "s3admin@ad.xxxxxx.local".",
"code": "92406096"
}
}`
If there is a way to make this work, it would be good if it was covered in the examples in the docs.
Thanks,
Erik
Public issues must not contain sensitive information
Page URL
https://docs.netapp.com/us-en/ontap/s3-config/generate-access-keys-api.html
Page title
Enable LDAP or domain users to generate their own ONTAP S3 access keys
Summary
If you follow the documentation you will not have a working environment
When you authenticate to run the REST API you must use the format domain\user.
If you then, in the data of your call, specified the user as user@fqdn ONTAP will complain that logged in user does not match the user you want to create the key for.
From my lab:
`% curl -ku 'ad.xxxxxx.local\s3admin:XXXXXXX' --request POST
--location "https://10.XXX.17.56/api/protocols/s3/services/cbd452c5-219d-11f0-843a-00a098f0cd03/users"
--include
--header "Accept: /"
--data '{"name":"s3admin@ad.xxxxxx.local"}'
HTTP/1.1 403 Forbidden
Date: Thu, 29 Jan 2026 22:00:30 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors: 'self'
Content-Length: 157
Content-Type: application/hal+json
Vary: Origin
{
"error": {
"message": "The user does not have permission to access the requested resource "s3admin@ad.xxxxxx.local".",
"code": "92406096"
}
}`
If there is a way to make this work, it would be good if it was covered in the examples in the docs.
Thanks,
Erik
Public issues must not contain sensitive information