Error: UserDisable.UserDisable

The following UserDisable error may be reported when you access OSS:

                <Message> userdisable </message>

The error may be caused by two reasons:

  • Access is denied due to account outstanding payment.

    You can click Billing Management on the OSS console to check whether an outstanding payment is made. If any, recharge the account in time.

    • Even if an outstanding payment is made, you still can use OSS for 24 hours and your access will be banned later.
    • Your historical data is kept for 15 days and will be deleted later.
    • Once you see an “Alibaba Cloud OSS Arrearage Message” in the Message Center, recharge your account in time. If not, you cannot use OSS.
  • Access is denied due to security reasons.

    Click Notice on the console to enter the Message Center and check the notice of violation on the Security message on the right side. Violation may be caused by various of reasons.

    Note If your account is banned, you must do whatever necessary to recover the use of your account. A new account does not guarantee your normal use.

Error: RequestTimeTooSkewed.The difference between…

If the following error RequestTimeTooSkewed is reported when you access OSS:

<Message>The difference between the request time and the current time is too large.</Message>

The cause is that the interval between your request time and the time at which OSS receives your request exceeds 15 minutes. Therefore, OSS considers this request to be invalid due to security reasons and returns this error. You must check the system time of the device sending the request, and adjust it to a correct time according to the time zone.

You may have the following questions:

  • What are the criteria for adjusting the system time of the machine or device sending the request?

    The system time adopted by OSS is the Greenwich Mean Time (GMT). Therefore, the system time of your device must be adjusted to GMT or to a time within a time zone corresponding to GMT. GMT is the zone time of zero zone, that is the World Standard Time.

    If, for example, the system of your device that accesses OSS is configured with GMT+08:00, the system time must be adjusted to a time that is 8 hours earlier than GMT. The other time can be adjusted similarly. The standard time in China is Beijing Time, that is GMT+08:00. If your system time is located at GMT+08:00, your system time only needs to be adjusted to Beijing Time.

    • To check your time zone using the Windows system,

      clickControl Panel > Clock, Language, and Region > Set Date and Time to open the date and time. The +08:00 in the Time Zone column indicates that your device is located in the time zone GMT+08:00.

    • If your system is Linux/Unix,

      run the date -R command to check the time and the time zone. +0800 is shown in the following figure, which indicates that the system time zone of your device is GMT+08:00.

  • Is there a problem of time synchronization when using OSS across multiple regions like Hangzhou, Singapore, and the United States?

    There is certainly no problem. The OSS in each region uses GMT and the system time of your device sending the request is also GMT.

Error: InvalidAccessKeyId.The OSS Access Key Id…

If the following error is reported when you access OSS:

<Message>The OSS Access Key Id you provided does not exist in our records.</Message>

The possible cause is that your AccessKeyID is disabled or does not exist. You can troubleshoot the error as follows:

Log on to AccessKey management on the Alibaba Cloud console to confirm that the AccessKeyID used for accessing OSS does exist and has been activated.

  • If your AccessKeyID is disabled, activate it.
  • If your AccessKeyID does not exist, create a new AccessKeyID and use it to access OSS.

Error: AccessDenied.The bucket you are attempting to…

If the following error is reported when you access OSS:

<Message>The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.</Message>

The cause is that the endpoint you use to access the bucket is incorrect. For endpoint details, see OSS basic concepts.

How can we find out a correct endpoint? If the SDK is abnormal as follows or returns the following error:

  <Message>The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.</Message>
  • Then oss-cn-**** in the endpoint is the correct endpoint. You must use http://oss-cn-**** or https://oss-cn-**** as the endpoint to access OSS.
  • If the endpoint is not shown in the error returned, you must log on to OSS console, and on the Overview page find out the bucket you are attempting to access. Then click the bucket to enter the Bucket Overviewpage. On the OSS Domain Name area, you can see the domain names of the intranet and the Internet.
  • The Internet domain name is used to access OSS on the Internet. The intranet domain name is used to internally access OSS on the intranet of Alibaba Cloud. For example, if you access OSS on your ECS, you can use an intranet domain name.
  • Endpoint is composed of the domain name (excluding the bucket part) and the access protocol. For example, the Internet domain name of OSS in the preceding picture is oss-**** Therefore, the Internet endpoint is http://oss-cn-**** and similarly its intranet endpoint is http://oss-cn-****

Error: ImageDamage.The image file may be damaged

If the following error is reported when you access OSS:

<Message>The image file may be damaged.</Message>

This error indicates that part of the image file message is lost or damaged, and the image cannot be identified or processed. You may have a question that an image can be processed locally by an image processor but the OSS reports an error. The cause is that the image processor does some processing of the damaged image but the OSS service currently does not have this function.

Error: AccessDenied.AccessDenied

If the following error is reported when you access OSS:


This error indicates that the user accessing OSS has no permissions for the current operation. The correct AccessKeyID/AccessKeySecret must be used. If the account you are using is a subaccount/temporary account (STS), you must confirm your current permissions.

Confirmation method:

Check your permissions on the RAM console. ClickUser management and click User who needs to confirm the permission, then click User Authorization Policy and Authorization Policy for Group. Confirm the current account has been granted the permissions to operate on the bucket/object.

Error: SignatureDoesNotMatch. The request signature we calculated…

If the following error is reported when you access OSS:

<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>

Troubleshoot the error as follows:

  1. Check the endpoint.

    Check whether there is a bucket before the endpoint, whether there is unnecessary / behind the endpoint, and whether there are unnecessary spaces at two sides of the endpoint. For example, the endpoint,, http:// and https:// are invalid domain names.

  2. Check the AccessKeyID/AccessKeySecret.

    Confirm that the AccessKeyID/AccessKeySecret is correct. Make sure there are no spaces at two sides of the AccessKeyID/AccessKeySecret, especially when it is copied and pasted.

  3. Check the BucketName/ObjectKey.

    Make sure that the BucketName/ObjectKey is valid and compliant with the naming rule.

    • Bucket nomenclature: The name of a bucket only consists of lower-case letters, numbers, and hyphens (-) and must start with a lower-case letter or number.The length must be between 3 bytes and 63 bytes.
    • Object nomenclature: The name of an object adopts UTF-8 codes with a length of 1 to 1,023 bytes. The name cannot start with “/“ or “\”.
  4. If your own signature is used, you must follow the signature method provided by OSS SDK.

    OSS SDK supports URL/Header signatures. For more information, see the SDK documentation.

  5. If your environment is not suitable for SDK use but you do need to use your signature, see User signature verification for the signature method. You must check each signature field carefully.

    A visual signature tool is provided on the OSS forum. You must compare each signature field and the final signature. The signature tool is available at the Signature tool address.

  6. If you use a proxy, you must check whether the proxy server has been configured with an additional header.

Other errors

You must judge the causes based on the error codes and messages returned from the SDK. The error messages indicate the error causes. If you suspect that the error is related with the network environment, you can use ossutil for error troubleshooting and the ossutil may give possible causes.