Overview
This article describes how to troubleshoot 403 status code when you access OSS.
Description
The following describes several common OSS 403 errors and their resolutions.
| Error classification | Error codes and messages | Cause | Solution |
| Overdue payment |
ErrorCode: UserDisable ErrorMessage: UserDisable |
|
Error: UserDisable.UserDisable |
| Date |
ErrorCode: RequestTimeTooSkewed |
If the interval between the request sending time and the time at which OSS receives the request exceeds 15 minutes, OSS considers the request to be invalid due to security reasons and returns an error. |
Check the system time of the device from which the request is sent, and then adjust the time according to your time zone. For more information, see RequestTimeTooSkewed.The difference between... Error |
| Corrupted file |
ErrorCode: ImageDamage |
This indicates that some information in the image file is lost or damaged, and the image cannot be identified or processed. | ImageDamage.The image file may be damaged error. |
| Cross-Domain |
ErrorCode: AccessForbidden ErrorMessage: CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Requet-Headers are not whitelisted by the resource's CORS spec. |
CORS is not configured or CORS is incorrect. | Configure cross-domain access to OSS |
| Configure hotlink protection |
ErrorCode: AccessDenied ErrorMessage: You are denied by bucket referer policy. |
The endpoint is not in the whitelist of OSS. | Hotlink protection |
| Permission |
ErrorCode: AccessDenied ErrorMessage: The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint. |
Bucket and Endpoint do not match | How to troubleshoot OSS permission-related common errors |
|
ErrorCode: AccessDenied |
This indicates that the user accessing OSS has no permissions for the current operation. | ||
|
ErrorCode: InvalidAccessKeyId |
The possible cause is that the AccessKeyID is disabled or does not exist. | ||
|
ErrorCode: SignatureDoesNotMatch |
The error message returned because the request signature does not conform to the standards of Alibaba Cloud. | ||
|
ErrorCode: AccessDenied ErrorMessage: You are forbidden to list buckets. |
You have no permissions for ListBuckets. | To modify the permissions, see implement access control based on ACLs to the permission list in the Ram console. | |
|
ErrorCode: AccessDenied ErrorMessage: You do not have write acl permission on this object |
You have no permissions for SetObjectAcl. | ||
|
ErrorCode: AccessDenied ErrorMessage: You do not have read acl permission on this object. |
You have no permissions for GetObjectAcl. | ||
|
ErrorCode: AccessDenied ErrorMessage: The bucket you access does not belong to you. |
RAM user are not authorized to manage buckets (such as GetBucketAcl, CreateBucket, DeleteBucket, and SetBucketReferer). | To modify the permissions, see use RAM policies to control access to OSS modify permissions. | |
|
ErrorCode: AccessDenied ErrorMessage: You have no right to access this object because of bucket acl. |
RAM user and temporary users are not authorized to access the Object, such as putObject getObject, appendObject deleteObject, and postObject. | ||
|
ErrorCode: AccessDenied ErrorMessage: Access denied by authorizer's policy. |
The temporary account has no access permissions. The authorization policy specified for assuming the role of this temporary account has no permissions. | ||
|
ErrorCode: AccessDenied ErrorMessage: You have no right to access this object. |
RAM User users and temporary users have no current operation permissions (such as initiateMultipartUpload). | ||
|
ErrorCode: AccessDenied ErrorMessage: Invalid according to Policy: Policy expired. |
Invalid Policy in PostObject | PostObject | |
|
ErrorCode: AccessDenied ErrorMessage: Invalid according to Policy: Policy Condition failed:["eq", "$Content-Type", "application/octet-stream"]… |
The Content-Type is qualified. For example, the Content-Type in the request is limited to image/png, but it does not match the restriction. | Set Content-Type |
"UserDisable.UserDisable" error
The following error message is displayed when you access OSS: UserDisable.UserDisable.
<Code>UserDisable</Code>
<Message>UserDisable</Message>
Causes and Solutions
- If the reason for the arrears is banned, in OSS console open on expense Center to check whether there is any overdue payment. If you owe, please recharge in time.
Note:
- You can still use OSS for 24 hours after a payment becomes overdue. After 24 hours, you are denied access to OSS.
- Your historical data is retained for 15 days and will be deleted later.
- When you see an "Alibaba Cloud OSS arrearage message" in the message center, recharge your account in a timely manner. Otherwise, your normal use will be affected.
- If the request is disabled for security reasons, you can open the message Center, in the security Message view violation notifications in. There are many reasons for violation, such as the use of OSS for private servers, prohibited images, and violence.
Note: If your account is banned, you must do whatever necessary to recover the use of your account. A new account does not guarantee your normal use of the account.
"RequestTimeTooSkewed.The difference between..." Error
The following error messages appear when you access OSS.
<Code>RequestTimeTooSkewed</Code>
<Message>The difference between the request time and the current time is too large. </Message>
Causes and Solutions
If the interval between the request sending time and the time at which OSS receives the request exceeds 15 minutes, OSS considers the request to be invalid due to security reasons and returns an error. Check the system time of the device from which the request is sent, and then adjust the time according to your time zone. The system time of the machine or device that sends the request. The adjustment criteria are as follows:
- The system time adopted by OSS is the GMT time. Therefore, the system time of your device must be adjusted to GMT or to a time within a time zone corresponding to GMT. GMT(Greenwich Mean Time) is the zone Time of zero Time zone, that is, the world standard Time.
- To check the time zone in Windows, use the control panel > clock, language and region > set date and time to open the date and time. The +08:00 in the time zone column indicates that your device is located in the time zone UTC +8.
- How to check the time zone on Linux/Unix systems: run the
date -Rview time and time zone. In the following figure.+0800the system time zone of your device is UTC +8.
- It is possible to use OSS of multiple regions. The OSS in each region uses GMT and the system time of your device sending the request is also GMT.
"ImageDamage.The image file may be damaged" error
The following error messages appear when you access OSS.
<Code>ImageDamage</Code>
<Message>The image file may be damaged. </Message>
Causes and Solutions
This indicates that some information in the image file is lost or damaged, and the image cannot be identified or processed. In some cases, you may doubt that you can open images in your local browser but OSS returns an error. This is because the picture browser will do some processing on the damaged picture, OSS Image Service this operation is not available for the time being. Make sure that the source file is not damaged. If the file is damaged, upload another local file.
Reference
Application scope
- Object Storage Service (OSS)