The standard first step is: try to use the AWS command line tools with the same credentials, through a command such as:

hdfs fs -ls s3a://my-bucket/

Note the trailing "/" here; without that the shell thinks you are trying to list your home directory under the bucket, which will only exist if explicitly created.

Attempting to list a bucket using inline credentials is a means of verifying that the key and secret can access a bucket:

hdfs fs -ls s3a://key:secret@my-bucket/

Do escape any + or / symbols in the secret, as discussed below, and never share the URL, logs generated using it, or use such an inline authentication mechanism in production.

Finally, if you set the environment variables, you can take advantage of S3A's support of environment-variable authentication by attempting the same ls operation; that is, unset the fs.s3a secrets and rely on the environment variables.

Make sure that the name of the bucket is the correct one. That is, check the URL.

Make sure the property names are correct. For S3A, they are fs.s3a.access.key and fs.s3a.secret.key. You cannot just copy the S3N properties and replace s3n with s3a.

Make sure that the properties are visible to the process attempting to talk to the object store. Placing them in core-site.xml is the standard mechanism.

If using session authentication, the session may have expired. Generate a new session token and secret.

If using environment variable-based authentication, make sure that the relevant variables are set in the environment in which the process is running.