method: http.MethodPost,
			path:   kmsKeyCreatePath,
			query:  map[string]string{"key-id": "new-test-key"},
			asRoot: false,

			wantStatusCode: http.StatusForbidden,
			wantResp:       []string{"AccessDenied"},
		},
		{
			name:   "create key as user with no resources specified want success",
			method: http.MethodPost,
			path:   kmsKeyCreatePath,
			query:  map[string]string{"key-id": "new-test-key"},

	atomic.AddInt64(&rt.SinceUptime.Count, 1)
	rt.LastMinute.addsize(size)
	rt.LastHour.addsize(size)
	if err != nil && minio.ToErrorResponse(err).Code == "AccessDenied" {
		if rt.ErrCounts == nil {
			rt.ErrCounts = make(map[string]int)
		}
		rt.ErrCounts["AccessDenied"]++
	}
}

func (rt *RTimedMetrics) merge(o RTimedMetrics) (n RTimedMetrics) {

	return apiErr
}

// error code to STSError structure, these fields carry respective
// descriptions for all the error responses.
var stsErrCodes = stsErrorCodeMap{
	ErrSTSAccessDenied: {
		Code:           "AccessDenied",
		Description:    "Generating temporary credentials not allowed for this request.",
		HTTPStatusCode: http.StatusForbidden,
	},
	ErrSTSMissingParameter: {
		Code:           "MissingParameter",

		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrExpiredPresignRequest: {
		Code:           "AccessDenied",
		Description:    "Request has expired",
		HTTPStatusCode: http.StatusForbidden,
	},
	ErrRequestNotReadyYet: {
		Code:           "AccessDenied",
		Description:    "Request is not valid yet",
		HTTPStatusCode: http.StatusForbidden,
	},
	ErrSlowDownRead: {

	if err != nil {
		switch minio.ToErrorResponse(err).Code {
		case "NoSuchBucket":
			return BucketRemoteTargetNotFound{Bucket: tgt.TargetBucket, Err: err}
		case "AccessDenied":
			return RemoteTargetConnectionErr{Bucket: tgt.TargetBucket, AccessKey: tgt.Credentials.AccessKey, Err: err}
		}
		return RemoteTargetConnectionErr{Bucket: tgt.TargetBucket, AccessKey: tgt.Credentials.AccessKey, Err: err}

	apiRouter.ServeHTTP(rec, anonReq)

	// expected error response when the unsigned HTTP request is not permitted.
	accessDenied := getAPIError(ErrAccessDenied).HTTPStatusCode
	if rec.Code != accessDenied {
		t.Fatal(failTestStr(anonTestStr, fmt.Sprintf("Object API Nil Test expected to fail with %d, but failed with %d", accessDenied, rec.Code)))
	}

	// HEAD HTTP request doesn't contain response body.
	if anonReq.Method != http.MethodHead {

	_, err := client.PutObject(ctx, bucket, "some-object", bytes.NewBuffer([]byte("stuff")), 5, minio.PutObjectOptions{})
	if e, ok := err.(minio.ErrorResponse); ok {
		if e.Code == "AccessDenied" {
			return
		}
	}
	c.Fatalf("upload did not get an AccessDenied error - got %#v instead", err)
}

func (c *check) assertSvcAccS3Access(ctx context.Context, s *TestSuiteIAM, cr madmin.Credentials, bucket string) {

	response, err = s.client.Get(getGetObjectURL(s.endPoint, bucketName, objectName+".1"))
	c.Assert(err, nil)
	// assert the http response status code.
	verifyError(c, response, "AccessDenied", "Access Denied.", http.StatusForbidden)

	// initiate anonymous HTTP request to fetch the object which does exist. We need to return AccessDenied.

		return
	}

	getObjectInfo := objectAPI.GetObjectInfo

	// Check for auth type to return S3 compatible error.
	// type to return the correct error (NoSuchKey vs AccessDenied)
	if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone {
		if getRequestAuthType(r) == authTypeAnonymous {
			// As per "Permission" section in

					Value:          float64(stat.ReplicatedCount),
					VariableLabels: map[string]string{"endpoint": stat.Endpoint},
				})

				if c, ok := stat.Failed.ErrCounts["AccessDenied"]; ok {
					ml = append(ml, MetricV2{
						Description:    getClusterRepCredentialErrorsMD(clusterMetricNamespace),
						Value:          float64(c),