All Products
Document Center

Object Storage Service:0003-00000201

Last Updated:Feb 22, 2024

Problem description

Your request is denied by a RAM policy.


You initiated a request to access a bucket or an object by using a RAM user. The request matches a Deny rule in the RAM policy that is attached to the RAM user. As a result, the request is rejected.


For example, you use a RAM user that is attached with the following RAM policy to initiate a PutBucketReferer request on the mybucket bucket:

  "Version": "1",
  "Statement": [
         "Effect": "Deny",
         "Action": [
         "Resource": [

The RAM policy includes a Deny rule to prevent the RAM user from calling the PutBucketReferer operation on the bucket. In this case, your request is rejected and the following output is returned:

<?xml version="1.0" encoding="UTF-8"?>
  <Message>Access denied by bucket policy.</Message>


Check whether the request that you initiate matches the Deny rule in the RAM policy.

In addition, if the output contains the EncodedDiagnosticMessage field, you can copy the content of the field to the Troubleshoot page to troubleshoot the causes. This operation requires that your RAM account is granted the ram:DecodeDiagnosticMessage permission.

If you do not have the permission, you can provide the content of this field to the account administrator. The account administrator can visit the Troubleshoot page to troubleshoot the causes and modify the authorization rules based on the diagnostic result.