All Products
Search

This Product

    Object Storage Service:0003-00000001

    Document Center

    Object Storage Service:0003-00000001

    Last Updated:Dec 19, 2025

    Problem description

    Your account does not have permission to perform the requested operation on the bucket or object, or the credentials you provided are incorrect.

    Causes

    • The account authenticated in the request lacks the required permissions for the operation.

    • The provided AccessKey ID or signature is incorrect.

    Examples

    • When you use a RAM user to send a request to a bucket, the AccessKey ID or AccessKey secret you entered is incorrect.

    • This error occurs when you use a RAM user to send a PutObject or GetObject request to a bucket, but the RAM user lacks the required permissions and the bucket's Access Control List (ACL) is not set to public-read-write or public-read.

    • This error can also be caused by an incorrect operation sequence when configuring CDN to pull from a private OSS bucket. Specifically, if the CDN origin is configured before the necessary permissions are granted, CDN cannot distribute the Security Token Service (STS) authentication configuration to its Points of Presence (POPs), resulting in access failures.

    • When you log on to ossbrowser 2.0 with the AccessKey of a RAM user, you may see the error The bucket you access does not belong to you. This is usually because the RAM user lacks the oss:GetBucketInfo permission.

    • Even if a bucket or object ACL is set to public-read or public-read-write, requests are denied if Block Public Access is enabled on the bucket.

    Solutions

    • Verify that the provided AccessKey ID and the AccessKey secret used to generate the signature are correct.

    • If you use a RAM user or temporary access credentials from STS, ensure that the account has the required permissions for the operation. For more information, see Use RAM policies to control access and Common examples of RAM policies.

    • When you configure a CDN domain to pull content from a private bucket, follow the correct order: first, grant the required OSS permissions to the RAM user, and then configure the private bucket as the origin for the CDN.

    • To access a specific bucket by using a preset path, you must have the oss:GetBucketInfo permission. Without this permission, you can instead manually specify the region where the bucket is located. For more information about how to create custom policies and grant permissions to RAM users, see Create custom policies and Grant permissions to a RAM user.

    • If you want to allow anonymous access by setting the ACL of a bucket or object to public-read, verify that Block Public Access is disabled for that bucket.