diff --git a/packages/ui/certd-server/src/plugins/plugin-lib/aliyun/access/aliyun-access.test.ts b/packages/ui/certd-server/src/plugins/plugin-lib/aliyun/access/aliyun-access.test.ts
new file mode 100644
index 000000000..f8713bc16
--- /dev/null
+++ b/packages/ui/certd-server/src/plugins/plugin-lib/aliyun/access/aliyun-access.test.ts
@@ -0,0 +1,41 @@
+/// <reference types="mocha" />
+
+import assert from "node:assert/strict";
+
+import { AliyunAccess } from "./aliyun-access.js";
+
+function createAccess(result: Record<string, unknown>) {
+  const access = new AliyunAccess();
+  access.ctx = {
+    logger: {
+      log() {},
+    },
+  } as any;
+  access.getStsClient = async () =>
+    ({
+      getCallerIdentity: async () => result,
+    }) as any;
+  return access;
+}
+
+describe("AliyunAccess", () => {
+  it("rejects STS error responses when testing access keys", async () => {
+    const access = createAccess({
+      Code: "InvalidAccessKeyId.NotFound",
+      Message: "Specified access key is not found.",
+      RequestId: "request-id",
+    });
+
+    await assert.rejects(() => access.onTestRequest(), /InvalidAccessKeyId\.NotFound/);
+  });
+
+  it("returns ok for valid STS identity responses", async () => {
+    const access = createAccess({
+      AccountId: "123456789",
+      Arn: "acs:ram::123456789:user/test",
+      UserId: "test-user",
+    });
+
+    assert.equal(await access.onTestRequest(), "ok");
+  });
+});
diff --git a/packages/ui/certd-server/src/plugins/plugin-lib/aliyun/access/aliyun-access.ts b/packages/ui/certd-server/src/plugins/plugin-lib/aliyun/access/aliyun-access.ts
index 4ecf5a7f3..1b7857458 100644
--- a/packages/ui/certd-server/src/plugins/plugin-lib/aliyun/access/aliyun-access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-lib/aliyun/access/aliyun-access.ts
@@ -41,7 +41,7 @@ export class AliyunAccess extends BaseAccess {
 
   async onTestRequest() {
     await this.getCallerIdentity();
-    return "ok"
+    return "ok";
   }
 
 
@@ -64,6 +64,11 @@ export class AliyunAccess extends BaseAccess {
     const sts = await this.getStsClient();
     // 调用 GetCallerIdentity 接口
     const result = await sts.getCallerIdentity();
+    if (result.Code || !result.AccountId) {
+      const message = result.Message || "阿里云密钥校验失败";
+      const code = result.Code ? `[${result.Code}] ` : "";
+      throw new Error(`${code}${message}`);
+    }
 
     this.ctx.logger.log("✅ 密钥有效！");
     this.ctx.logger.log(`   账户ID: ${result.AccountId}`);