Overview

This article describes how to troubleshoot 403 status code when you access OSS.

 

Description

The following describes several common OSS 403 errors and their resolutions. 

Error classification  Error codes and messages Cause Solution
Overdue payment

ErrorCode: UserDisable

ErrorMessage: UserDisable

  • OSS overdue payments banned
  • Banned for security reasons
Error: UserDisable.UserDisable
Date

ErrorCode: RequestTimeTooSkewed
ErrorMessage: The difference between the request time and the current time is too large.

If the interval between the request sending time and the time at which OSS receives the request exceeds 15 minutes, OSS considers the request to be invalid due to security reasons and returns an error.

Check the system time of the device from which the request is sent, and then adjust the time according to your time zone. For more information, see RequestTimeTooSkewed.The difference between... Error

Corrupted file

ErrorCode: ImageDamage
ErrorMessage: The image file may be damaged.

This indicates that some information in the image file is lost or damaged, and the image cannot be identified or processed. ImageDamage.The image file may be damaged error.
Cross-Domain

ErrorCode: AccessForbidden

ErrorMessage: CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Requet-Headers are not whitelisted by the resource's CORS spec.

CORS is not configured or CORS is incorrect. Configure cross-domain access to OSS
Configure hotlink protection

ErrorCode: AccessDenied

ErrorMessage: You are denied by bucket referer policy.

The endpoint is not in the whitelist of OSS. Hotlink protection
Permission

ErrorCode: AccessDenied

ErrorMessage: The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.

Bucket and Endpoint do not match How to troubleshoot OSS permission-related common errors

ErrorCode: AccessDenied
ErrorMessage: AccessDenied

This indicates that the user accessing OSS has no permissions for the current operation.

ErrorCode: InvalidAccessKeyId
ErrorMessage: The OSS Access Key Id you provided does not exist in our records.

The possible cause is that the AccessKeyID is disabled or does not exist.

ErrorCode: SignatureDoesNotMatch 
ErrorMessage: The request signature we calculated does not match the signature you provided. Check your key and signing method.

The error message returned because the request signature does not conform to the standards of Alibaba Cloud.

ErrorCode: AccessDenied

ErrorMessage: You are forbidden to list buckets.

You have no permissions for ListBuckets. To modify the permissions, see implement access control based on ACLs to the permission list in the Ram console.

ErrorCode: AccessDenied

ErrorMessage: You do not have write acl permission on this object

You have no permissions for SetObjectAcl.

ErrorCode: AccessDenied

ErrorMessage: You do not have read acl permission on this object.

You have no permissions for GetObjectAcl.

ErrorCode: AccessDenied

ErrorMessage: The bucket you access does not belong to you.

RAM user are not authorized to manage buckets (such as GetBucketAcl, CreateBucket, DeleteBucket, and SetBucketReferer). To modify the permissions, see use RAM policies to control access to OSS modify permissions.

ErrorCode: AccessDenied

ErrorMessage: You have no right to access this object because of bucket acl.

RAM user and temporary users are not authorized to access the Object, such as putObject getObject, appendObject deleteObject, and postObject.

ErrorCode: AccessDenied

ErrorMessage: Access denied by authorizer's policy.

The temporary account has no access permissions. The authorization policy specified for assuming the role of this temporary account has no permissions.

ErrorCode: AccessDenied

ErrorMessage: You have no right to access this object.

RAM User users and temporary users have no current operation permissions (such as initiateMultipartUpload).

ErrorCode: AccessDenied

ErrorMessage: Invalid according to Policy: Policy expired.

Invalid Policy in PostObject PostObject

ErrorCode: AccessDenied

ErrorMessage: Invalid according to Policy: Policy Condition failed:["eq", "$Content-Type", "application/octet-stream"]…

The Content-Type is qualified. For example, the Content-Type in the request is limited to image/png, but it does not match the restriction. Set Content-Type

 

"UserDisable.UserDisable" error

The following error message is displayed when you access OSS: UserDisable.UserDisable.

<Code>UserDisable</Code>
<Message>UserDisable</Message>

 

Causes and Solutions

  • If the reason for the arrears is banned, in OSS console open on expense Center to check whether there is any overdue payment. If you owe, please recharge in time.
    Note:
    • You can still use OSS for 24 hours after a payment becomes overdue. After 24 hours, you are denied access to OSS.
    • Your historical data is retained for 15 days and will be deleted later.
    • When you see an "Alibaba Cloud OSS arrearage message" in the message center, recharge your account in a timely manner. Otherwise, your normal use will be affected.
  • If the request is disabled for security reasons, you can open the message Center, in the security Message view violation notifications in. There are many reasons for violation, such as the use of OSS for private servers, prohibited images, and violence.
    Note: If your account is banned, you must do whatever necessary to recover the use of your account. A new account does not guarantee your normal use of the account.

 

"RequestTimeTooSkewed.The difference between..." Error

The following error messages appear when you access OSS.

<Code>RequestTimeTooSkewed</Code>
<Message>The difference between the request time and the current time is too large. </Message>

 

Causes and Solutions

If the interval between the request sending time and the time at which OSS receives the request exceeds 15 minutes, OSS considers the request to be invalid due to security reasons and returns an error. Check the system time of the device from which the request is sent, and then adjust the time according to your time zone. The system time of the machine or device that sends the request. The adjustment criteria are as follows:

  • The system time adopted by OSS is the GMT time. Therefore, the system time of your device must be adjusted to GMT or to a time within a time zone corresponding to GMT. GMT(Greenwich Mean Time) is the zone Time of zero Time zone, that is, the world standard Time.
    • To check the time zone in Windows, use the control panel > clock, language and region > set date and time to open the date and time. The +08:00 in the time zone column indicates that your device is located in the time zone UTC +8.
    • How to check the time zone on Linux/Unix systems: run the date -R view time and time zone. In the following figure. +0800 the system time zone of your device is UTC +8.
  • It is possible to use OSS of multiple regions. The OSS in each region uses GMT and the system time of your device sending the request is also GMT.

 

"ImageDamage.The image file may be damaged" error

The following error messages appear when you access OSS.

<Code>ImageDamage</Code> 
<Message>The image file may be damaged. </Message>

 

Causes and Solutions

This indicates that some information in the image file is lost or damaged, and the image cannot be identified or processed. In some cases, you may doubt that you can open images in your local browser but OSS returns an error. This is because the picture browser will do some processing on the damaged picture, OSS Image Service this operation is not available for the time being. Make sure that the source file is not damaged. If the file is damaged, upload another local file.

 

Reference

 

Application scope

  • Object Storage Service (OSS)