Overview

Object Storage Service (OSS) permission errors indicate that the current user does not have permissions to perform a specific operation. This article describes OSS common permission errors and corresponding solutions.

Description

Common permission errors

The following table describes the permission errors returned by OSS and their causes.

Error Cause Solution

ErrorCode: AccessDenied

ErrorMessage: The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.

The bucket and endpoint do not match. See AccessDenied.The bucket you are attempting to….

ErrorCode: AccessDenied
ErrorMessage: AccessDenied

The current user does not have permissions to perform the operation. See AccessDenied.AccessDenied.

ErrorCode: InvalidAccessKeyId
ErrorMessage: The OSS Access Key Id you provided does not exist in our records.

The AccessKey ID is invalid, or the AccessKey ID does not exist. See InvalidAccessKeyId.The OSS Access Key Id….

ErrorCode: SignatureDoesNotMatch 
ErrorMessage: The request signature we calculated does not match the signature you provided. Check your key and signing method.

The calculated signature does not match the signature you provided. See "SignatureDoesNotMatch.The request signature we calculated…" error.

ErrorCode: AccessDenied

ErrorMessage: You are forbidden to list buckets.

You do not have permissions to list buckets. For more information about how to modify permissions, see ACL.

ErrorCode: AccessDenied

ErrorMessage: You do not have write acl permission on this object

You do not have permissions to perform the SetObjectAcl operation.

ErrorCode: AccessDenied

ErrorMessage: You do not have read acl permission on this object.

You do not have permissions to perform the GetObjectAcl operation.

ErrorCode: AccessDenied

ErrorMessage: The bucket you access does not belong to you.

Resource Access Management (RAM) users do not have permissions to perform operations such as GetBucketAcl CreateBucket, DeleteBucket SetBucketReferer, and GetBucketReferer. For more information about how to modify permissions, see Tutorial: Use RAM policies to control access to OSS.

ErrorCode: AccessDenied

ErrorMessage: You have no right to access this object because of bucket acl.

RAM users and temporary users do not have permissions to access the object. Example: the permissions to perform the putObject, getObject, appendObject, deleteObject, and postObject operations.

ErrorCode: AccessDenied

ErrorMessage: Access denied by authorizer's policy.

Temporary users do not have permissions, or the specified policy is attached to the current temporary user but the policy is not configured with permissions.

ErrorCode: AccessDenied

ErrorMessage: You have no right to access this object.

RAM users or temporary users do not have permissions to perform the current operation such as initiateMultipartUpload.

ErrorCode: AccessDenied

ErrorMessage: Invalid according to Policy: Policy expired.

The policy specified in PostObject is invalid. PostObject

ErrorCode: AccessDenied

ErrorMessage: Invalid according to Policy: Policy Condition failed:["eq", "$Content-Type", "application/octet-stream"] …

The actual content type does not match the specified Content-Type value. For example, Content-Type is set to image/png, but the actual content type is not image/png. See Set Content-Type.

Solutions

Note: We recommend that you generate policies by using OSS RAM Policy Editor.

How to determine whether an AccessKey pair is from an Alibaba Cloud account, a RAM user, or a temporary user

  • Check whether an AccessKey pair is from an Alibaba Could account: You must view whether the AccessKey ID exists in the OSS console. If the AccessKey ID exists in the OSS console, the AccessKey pair is from an Alibaba Cloud account.
  • View the permissions of a RAM user (policies attached to the RAM user): In the RAM console, choose Access Control > Users and click the user name to view the AccessKey ID. Choose Access Control > Users in the console. Click the user name and click Permisssions, to view permissions.
  • View the permissions of a temporary user (the permissions of the corresponding role): It is easy to recognize a temporary user whose AccessKey ID starts with STS such as "STS.MpsSonrqGM8bGjR6CRKNMoHXe". In the console, choose .Access Control > RAM Roles and click the name of the RAM role to view permissions.

    Check permissions

    For more information about how to check permissions, see Tutorial: Use RAM policies to control access to OSS. To check permissions, perform the following steps:

    1. List required permissions and resources.
    2. Check whether your required operation exists in Action.
    3. Confirm whether the Resource value is the object of your required operation.
    4. Confirm whether Effect is set to Allow or Deny.
    5. Confirm whether Condition configurations are correct.

    Debugging

    To perform debugging, perform the following steps if no errors are found:

    1. Delete Condition.
    2. Delete Deny from Effect.
    3. Replace Resource with "Resource": "*".
    4. Replace Action with "Action": "oss:*".

    References

    "AccessDenied.The bucket you are attempting to…"

    The following error code and error details are reported when you access OSS:

    <Code>AccessDenied</Code> 
    <Message>The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.</Message>

    Cause and solution

    This error indicates that the endpoint that you use to access the bucket is incorrect. For more information about endpoints, see Terms. If SDK throws the following exception or returns the following error, refer to the note to find the right endpoint:

    <Error>
      <Code>AccessDenied</Code>
      <Message>The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.</Message>
      <RequestId>56EA****3EE6</RequestId>
      <HostId>my-oss-bucket-*****.aliyuncs.com</HostId>
      <Bucket>my-oss-bucket-***</Bucket>
      <Endpoint>oss-cn-****.aliyuncs.com</Endpoint>
    </Error>

    Note:

    • oss-cn-****.aliyuncs.com in Endpoint is the right endpoint. Access OSS by using http://oss-cn-****.aliyuncs.com or https://oss-cn-****.aliyuncs.com as the endpoint.
    • If you do not find Endpoint in the error message, log on to the OSS console and find the bucket that you accessed in Buckets. Click the bucket name, ane then click Overview You can find the internal and public endpoints in the Endpoint column.
    • A public endpoint is an endpoint used to access OSS over the Internet. An internal endpoint is an endpoint to access OSS from the Alibaba Cloud internal network. For example, you can use an internal endpoint when you access OSS from ECS.
    • A URL consists of HTTP or HTTPS and a domain name that excludes bucket names. For example, in the proceeding figure, the public endpoint to access OSS is oss-****.aliyuncs.com, and the URL to access OSS over the Internet is http://oss-cn-****.aliyuncs.com. Similarly, the URL to access OSS over the internal network is http://oss-cn-****-internal.aliyuncs.com.

    "AccessDenied.AccessDenied"

    The following error code and error details are reported when you access OSS:

    <Code>AccessDenied</Code> 
    <Message>AccessDenied</Message>

    Cause and solution

    This error indicates that the OSS user does not have the permissions on the current operation. Confirm that the AccessKeyID/AccessKeySecret configurations are correct. If you use a RAM user or security token service (STS)-based temporary user, confirm the permissions of the current user. In the left-side navigation pane of the RAM console, click Users. Click the user name that you want to check. Choose Permissions > Group Permissions to view the permissions of the RAM user. Confirm whether the RAM user is authorized to perform operations on buckets or objects.

    "InvalidAccessKeyId.The OSS Access Key Id…" error

    The following error code and error details are reported when you access OSS:

    <Code>InvalidAccessKeyId</Code> 
    <Message>The OSS Access Key Id you provided does not exist in our records.</Message>

    Cause and solution

    The error indicates that the AccessKey ID is invalid or the AccessKey ID does not exist. You can troubleshoot the error in the following way:

    1. Log on to Security Management in the Alibaba Cloud Management Console.
    2. Confirm that the AccessKey ID exists and is enabled.
      • If your AccessKey ID is disabled, enable it.
      • If you do not have an AccessKey ID, create an AccessKey ID and use it to access OSS.

    "SignatureDoesNotMatch.The request signature we calculated…" error

    The following error code and error details are reported when you access OSS:

    <Code>SignatureDoesNotMatch</Code> 
    <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>

    Solution

    1. Make sure that you do not enter "bucket" or extra spaces before the endpoint, and do not enter extra forward slashes or extra spaces behind the endpoint.
      • For example, the following endpoints are invalid:
        • http:// oss-cn-hangzhou.aliyuncs.com
        • https:// oss-cn-hangzhou.aliyuncs.com
        • http://my-bucket.oss-cn-hangzhou.aliyuncs.com
        • http://oss-cn-hangzhou.aliyuncs.com/
      • The following example is a valid endpoint:
        • http://oss-cn-hangzhou.aliyuncs.com
    2. Make sure that the AccessKey ID and AccessKey secret are correctly entered, and no extra spaces are contained, especially when you enter them by copying and pasting.
    3. Make sure that the bucket name and object key have valid names and conform to naming conventions.
      • The naming conventions of a bucket: The name must be 3 to 63 characters in length, and contain letters, numbers, and hyphens (-). It must start with a letter or a number.
      • The naming conventions of an object: The name must be 1 to 1023 characters in length, and must be UTF-8 encoded. It cannot start with forward slashes (/) or backslashes (\).
    4. If the self-signed mode is used, use the signature method provided by OSS SDK. OSS SDK allows you to sign a URL or a header. For more information, see Authorized access.
    5. If your environments are not applicable for you to use OSS SDK to sign a URL or a header, use the self-signed mode. For more information about how to sign a URL or a header, see Verify user signatures. Check every signature string.
    6. If you use a proxy, check whether additional headers are added to the proxy server.

    References

    Application scope

    • OSS