Setting an object's access control list (ACL) to public read allows all users to access it. However, certain bucket-level configurations can override this and block anonymous access.
Pay-by-requester
When pay-by-requester is enabled, OSS blocks anonymous access to the bucket because anonymous users cannot provide identity information for authentication.
With pay-by-requester enabled, requesters — not the bucket owner — pay for request and data transfer fees. To charge the correct account, OSS requires requesters to authenticate. Because anonymous users carry no identity information, OSS rejects their requests.
The bucket owner pays storage fees only.
To restore anonymous access, choose one of the following:
Generate a signed URL for the object and share it with the anonymous user. See How do I obtain the URL of a single object or the URLs of multiple objects?
Disable pay-by-requester. See Enable pay-by-requester.
For more information, see Pay-by-requester.
Bucket policy
Some bucket policies that you configure for a bucket may cause anonymous users to fail to access the bucket, even when the object ACL is set to public read.
Review the bucket policies applied to your bucket and modify or delete any policy that denies anonymous access. See Configure bucket policies to authorize other users to access OSS resources.