All Products
Search
Document Center

Object Storage Service:HTTP status code 403

Last Updated:Jun 27, 2023

This topic describes the causes of errors returned with HTTP status code 403 and the solutions to these errors.

AccessDenied

The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint

  • Cause: The endpoint used to access the bucket is incorrect.

  • Solution: Make sure that you use the correct endpoint to access the bucket. For example, if you want to access a bucket in the China (Hangzhou) region (oss-cn-hangzhou), use the following public endpoint of the region: oss-cn-hangzhou.aliyuncs.com. For more information about endpoints, see OSS domain names.

This request is forbidden by kms

  • Cause: You do not have the permissions to use Key Management Service (KMS).

  • Solution: Make sure that you have the permissions to use the customer master key (CMK). For more information, see Server-side encryption.

AccessDenied

  • Cause: You do not have the permissions to access the resources.

  • Solution:

    • Make sure that you use the correct AccessKey ID and AccessKey secret to access the resources. For more information, see Create an AccessKey pair.

    • Make sure that the RAM user has the permissions to perform operations on the bucket or the object that you want to manage.

You have no right to access this object

  • Cause: The RAM user that you use does not have the permissions to access the object.

  • Solution: Make sure that the RAM user that you use has the permissions to perform object-related operations. For more information about how to configure access permissions in different scenarios, see Tutorial: Use RAM policies to control access to OSS.

Anonymous user has no right to access this bucket

Anonymous user has no right to access this object

You are denied by bucket referer policy

  • Cause: The domain name from which the request is initiated is not included in the Referer whitelist.

  • Solution: Configure a Referer whitelist for a bucket and specify whether to allow empty Referer fields. This way, only requests from the domain names that are included in the Referer whitelist can access the resources in the bucket. For more information, see Configure hotlink protection for a bucket.

Invalid according to Policy: Policy expired

  • Cause: The policy form field in the PostObject request is invalid.

  • Solution: Specify a valid value for the policy form field. The policy form field in a PostObject request is used to check the validity of the request. The value of the policy form field is a JSON string that is encoded in UTF-8 and Base64. This value specifies the conditions that must be matched for a PostObject request. The following code provides an example of the policy form field in a PostObject request:

    { "expiration": "2014-12-01T12:00:00.000Z",
      "conditions": [
        {"bucket": "johnsmith" },
        ["starts-with", "$key", "user/eric/"]
      ]
    }

    For more information about the conditions that can be configured in the policy form field, see PostObject.

Invalid according to Policy: Policy Condition failed: " + RelatedUnit; //XXX

  • Cause: The conditions specified in the policy form field are invalid.

  • Solution: Make sure that the conditions specified in the policy form field are valid. For more information about the conditions that can be configured in the policy form field and how the conditions are matched, see PostObject.

Invalid according to Policy: Policy Condition failed: ["eq", "$Content-Type", "image/png"]

  • Cause: The type of the object that you want to upload does not match the specified Content-Type value.

  • Solution: The Content-Type header in Policy is used to limit the type of the object that you want to upload. If you set the Content-Type header to image/png, you can upload only objects of the IMAGE or PNG type. Set the Content-Type header to the type of the object that you want to upload. For more information about the valid values of the Content-Type header, see How do I configure the Content-Type header?

Target object does not reside in the same data center as source object

  • Cause: Objects cannot be copied across buckets in different regions.

  • Solution: Make sure that the source bucket and the destination bucket are in the same region. For more information, see CopyObject.

Query string authentication requires the Signature, Expires and OSSAccessKeyId parameters

  • Cause: The required parameters are not included in the signed URL.

  • Solution: Include the following parameters in the signed URL: Signature, Expires, and OSSAccessKeyId. Example: http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?OSSAccessKeyId=nz2pc56s936**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv****. For more information, see Add signatures to URLs.

Invalid date (should be seconds since epoch)

  • Cause: The value of the Expires parameter is invalid.

  • Solution: Specify a valid value for the Expires parameter. The Expires parameter specifies the point in time when the URL expires. The time follows the UNIX time format. It is the number of seconds that have elapsed since 00:00:00 Thursday, January 1, 1970. The time is in UTC.

Request has expired

  • Cause: The request expires.

  • Solution: Configure the Expires parameter based on your business requirements. For more information about how to configure the Expires parameter when you upload an object, see PutObject, PostObject, AppendObject, and InitiateMultipartUpload.

You do not have read permission on this object

  • Cause: You do not have read permissions on the object.

  • Solution: Contact the object owner to obtain read permissions on the object.

You do not have write permission on this object

  • Cause: You do not have write permissions on the object.

  • Solution: Contact the object owner to obtain write permissions on the object.

You do not have read acl permission on this object

  • Cause: You do not have read permissions on the access control list (ACL) of the object.

  • Solution: Contact the object owner to obtain the permissions to perform the GetObjectACL operation on the object.

You do not have write acl permission on this object

  • Cause: You do not have write permissions on the ACL of the object.

  • Solution: Contact the object owner to obtain the permissions to perform the PutObjectACL operation on the object.

You have no right to access this object because of bucket acl

  • Cause: You do not have the permissions to access the object.

  • Solution: Obtain the required permissions on the object, such as PutObject, GetObject, and AppendObject. For more information, see Common examples of RAM policies.

Anonymous access is forbidden for this operation

Access denied by bucket policy

Access denied by VPC endpoint policy

  • Cause: A bucket policy is configured for a virtual private cloud (VPC). As a result, unauthorized buckets cannot be accessed in the VPC.

  • Solution: Check the bucket policy configured for the VPC.

Hierarchical namespace is disabled

  • Cause: The hierarchical namespace feature is not enabled for the bucket.

  • Solution: Enable the hierarchical namespace feature when you create a bucket and rename the directory or the object. For more information about the regions and scenarios in which the hierarchical namespace feature can be used, see Enable hierarchical namespace.

Access denied by authorizer's policy

  • Cause: You do not have the permissions to perform this operation.

  • Solution: The permissions of temporary access credentials that are obtained from Security Token Service (STS) are the overlapped permissions granted in Step 4 and Step 5 of the Use temporary credentials provided by STS to access OSS topic. Use the following examples to check the intersection of permissions that you configured in these two steps.

    • Example 1

      If the AliyunOSSFullAccess policy is attached to the role in Step 4 and the oss:PutObject permission is configured in Step 5, the temporary access credentials have the oss:PutObject permission. This means that you can only upload objects to the specified bucket.

    • Example 2

      If the oss:PutObject system permission is granted to the role in Step 4 and the oss:GetObject permission is configured in Step 5, the temporary access credentials do not have any permissions. This means that you cannot perform any operations on the specified bucket.

AccessForbidden

CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Requet-Headers are not whitelisted by the resource's CORS spec

  • Cause: Cross-origin resource sharing (CORS) is not configured for the bucket or the configured CORS rules are incorrect.

  • Solution: For more information, see Configure CORS.

PermanentRedirect

The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint

  • Cause: The endpoint is not specified or the incorrect endpoint is specified when you use OSS SDKs to access a bucket. For example, if you use the default endpoint oss-cn-hangzhou.aliyuncs.com to access a bucket that you created in the China (Qingdao) region, the error message is returned.

  • Solution: Use the endpoint of the region in which the bucket is located to access the bucket. For example, if you want to access buckets in the China (Hangzhou) and China (Qingdao) regions, we recommend that you create an OSSClient instance for each region. Add oss-cn-hangzhou.aliyuncs.com to the OSSClient instance that you want to use to access the bucket in the China (Hangzhou) region and oss-cn-qingdao.aliyuncs.com to the OSSClient instance that you want to use to access the bucket in the China (Qingdao) region.

SecondLevelDomainForbidden

The bucket you are attempting to access must be addressed using OSS third level domain

  • Cause: The domain name in the request is not a third-level domain name.

  • Solution: Include third-level domain names that contain information about buckets in all requests except the requests that you send to perform the GetService (ListBuckets) operation. The domain name used to access a bucket is in the BucketName.Endpoint format. BucketName specifies the name of the bucket and Endpoint specifies the endpoint of the region in which the bucket is located. Example: https://examplebucket.oss-cn-hangzhou.aliyuncs.com.

Please use virtual hosted style to access

  • Cause: The URL that you used to access OSS is invalid.

  • Solution: Use a URL in the following format to access OSS resources over the Internet: <Schema>://<Bucket>.<Public endpoint>/<Object>. In the preceding URL, Schema specifies the protocol that is used to access the object, such as HTTP or HTTPS, Bucket specifies the name of the bucket in which the object that you want to access is stored, Public endpoint specifies the endpoint used to access the region in which the bucket is located, and Object specifies the path of the uploaded object that you want to access.

    For example, if you want to access an object named example.txt in the destfolder of the bucket named examplebucket in the China (Hangzhou) region, you can use the following URL: https://examplebucket.oss-cn-hangzhou.aliyuncs.com/destfolder/example.txt.

NonStandardHostForbidden

Your host is invalid. Please use Open Storage Service standard host

  • Cause: The domain name used to access OSS is invalid.

  • Solution: Use a standard domain name to access OSS resources. For more information, see OSS domain names.

KmsUbsmsInvalidBid

Your account partner does not have KMS Service

  • Cause: KMS is not activated.

  • Solution: Activate KMS before you use the SSE-KMS method to encrypt data in OSS. For more information, see Purchase a dedicated KMS instance.

KmsInDebt

Current user is indebted

  • Cause: Your Alibaba Cloud account has overdue payments. A notification is sent to you and your access to KMS is denied.

  • Solution: Make sure that your Alibaba Cloud account does not have overdue payments when you use KMS.

KmsInDebtOverdue

Current user is indebted Overdue

  • Cause: Your Alibaba Cloud account has overdue payments for KMS.

  • Solution: Top up your Alibaba Cloud account to use KMS.

WORMConfigurationLocked

The WORM Configuration is locked

  • Cause: You attempt to delete a locked retention policy.

  • Solution: Do not delete a locked retention policy. Locked retention policies cannot be deleted. The protection period specified by the retention policy cannot be shortened but can be extended. For more information, see Retention policies.

BucketNotBelongTo

The bucket you access does not belong to you

  • Cause: You are not the owner of the bucket.

  • Solution: Make sure that you are the bucket owner before you perform the operation. Only the bucket owner can perform the operation.

InvalidAccessKeyId

The OSS Access Key Id you provided is disabled

  • Cause: The AccessKey ID is disabled.

  • Solution: Enable the AccessKey pair.

The OSS Access Key Id you provided does not exist in our records

The OSS Access Key Id contains non-acceptable characters, which accepts only alphanumeric characters[0-9a-zA-Z] and several special characters[._=]

  • Cause: The AccessKey ID is invalid.

  • Solution: Enter the AccessKey ID of a RAM user or your Alibaba Cloud account. For more information, see Create an AccessKey pair.

SignatureDoesNotMatch

The request signature we calculated does not match the signature you provided

  • Cause: When you call an API operation or use an OSS SDK to access OSS, the client must include a signature for the OSS server to perform identity authentication. If the server returns the preceding error message, the signature that you provided in the request is inconsistent with the signature calculated by the server. As a result, the request is rejected.

  • Solution: Perform the following steps to troubleshoot the error:

    1. Check whether the AccessKey ID and AccessKey secret are valid.

      You can use the AccessKey ID and AccessKey secret to log on to ossbrowser to check whether the AccessKey ID and AccessKey secret are valid. For more information, see Install and log on to ossbrowser.

    2. Check whether the signature algorithm is valid.

      OSS provides two request methods that can include signatures. For more information, see Include signatures in the Authorization header and Add signatures to URLs. The following items describe the algorithms for the two signature methods:

      • Include signatures in the Authorization header

        StringToSign = VERB + "\n"
                      + Content-MD5 + "\n" 
                      + Content-Type + "\n" 
                      + Date + "\n" 
                      + CanonicalizedOSSHeaders
                      + CanonicalizedResource
        Signature = base64(hmac-sha1(AccessKeySecret, StringToSign)
      • Add signatures to URLs

        StringToSign = VERB + "\n" 
                      + CONTENT-MD5 + "\n" 
                      + CONTENT-TYPE + "\n" 
                      + EXPIRES + "\n" 
                      + CanonicalizedOSSHeaders
                      + CanonicalizedResource
        Signature = urlencode(base64(hmac-sha1(AccessKeySecret, StringToSign)))

      We recommend that you use OSS SDKs to access OSS. This eliminates the need to manually calculate the signature. For more information, see Overview.

    3. Check whether the value of the StringToSign field in the response body is consistent with that in the request.

      The StringToSign field specifies the string to be signed, which is the content that needs to be encrypted by using the AccessKey secret in the signature algorithm.

      Examples:

      PUT /bucket/abc?acl
      Date: Wed, 24 May 2023 02:12:30 GMT
      Authorization: OSS qn6qrrqxo2oawuk53otf****:77Dvh5wQgIjWjwO/KyRt8dOP****
      x-oss-abc: mymeta

      The string to be signed calculated by using the preceding method:

      PUT\n\n\nWed, 24 May 2023 02:12:30 GMT\nx-oss-abc:mymeta\n/bucket/abc?acl

TransferAccelerationDisabled

Transfer acceleration is disabled

  • Cause: Transfer acceleration is disabled.

  • Solution: Enable transfer acceleration if you want to accelerate remote data transfer, accelerate the upload and download of objects of gigabytes or terabytes in size, and accelerate the download of non-static and non-hot data. For more information, see Enable transfer acceleration.

InvalidSecurityToken

The security token you provided is invalid

AccessKeyIdAndSecurityTokenNotMatch

The OSS access key id and security token you provided does not match

SecurityTokenExpired

The security token you provided has expired

  • Cause: The temporary access credentials used to access OSS expired.

  • Solution: Send a request to obtain new temporary access credentials from STS.

AbnormalBucketOwnerStatus

The status of the bucket owner is abnormal

  • Cause: The service is not available for the bucket owner.

  • Solution: Check whether the Alibaba Cloud account of the bucket owner is canceled, restricted due to security reasons, or suspended due to overdue payments.

SecurityTokenNotSupported

This interface does not support security token

  • Cause: The current operation cannot be called by users who have only temporary access credentials.

  • Solution: Use other methods instead of STS tokens to grant the required permissions to users to access your buckets. You can use STS tokens to grant the permissions only to specific users for temporary access to OSS resources. For more information about authorization methods, see Overview.

Security token is not supported in this region

  • Cause: STS tokens are not supported in the current region.

  • Solution: Use methods other than STS tokens to grant users the permissions to access your buckets. For more information about the regions that support STS tokens, see Endpoints.

RequestTimeTooSkewed

The difference between the request time and the current time is too large

  • Cause: The time when the request is initiated is at least 15 minutes earlier than the current time of the OSS server.

  • Solution: Check the system time of the device used to send the request and change the system time based on your time zone.

    You can change the system time of the device that you use to send the request based on the following guidelines:

    • OSS uses Greenwich Mean Time (GMT) as the system time. Therefore, the system time of your device must be set to GMT or a time zone relative to GMT. For example, GMT+00:00 is a time zone relative to GMT.

      • To check the time zone of your device that runs Windows, choose Control Panel > Clock, Language, and Region > Set Date and Time.

        For example, if the Time Zone column displays +08:00, your device is in the GMT+08:00 time zone.

      • To check the time zone of your device that runs Linux or UNIX, run the date -R command.

        In the following figure, +0800 indicates that the device is in the GMT+08:00 time zone.+0800

    • You can use OSS in multiple regions. OSS uses GMT as the system time in all regions. Therefore, the system time of your device used to send requests must also be in GMT.

ImageDamage

The image file may be damaged

  • Cause: The image cannot be identified or processed due to damaged or missing data.

  • Solution: Make sure that the image is not damaged. If the image is damaged, reupload the image.

UserDisable

UserDisable

  • Causes:

    • Your account is disabled due to overdue payments or security reasons.

    • OSS is not activated.

  • Solutions:

    • Check whether your account has overdue payments or contact technical support to perform a security check.

    • Activate OSS.

BucketDisable

BucketDisable

  • Cause: The bucket is disabled due to security reasons.

  • Solution: Check whether your account has overdue payments or contact technical support to perform a security check.

CnameDenied

The cname belongs to another user

  • Cause: The domain name is mapped to another bucket.

  • Solution: Use another domain name or verify the ownership of the domain name and forcibly map the domain name to the bucket. If you forcibly map the domain name to the bucket, the domain name is unmapped from the previous bucket. For more information, see Map custom domain names.

InvalidObjectState

The operation is not valid for the object's state

  • Cause: If one of the following conditions is met, the state of an Archive object becomes invalid:

    • The RestoreObject request sent for the object timed out or was not initiated.

    • The RestoreObject request sent for the object was initiated but the object was not restored.

  • Solution: For information about how to fix the error, see RestoreObject.