Problem description
Your request is denied by a RAM policy.
Causes
You initiated a request to access a bucket or an object by using a RAM user. The request matches a Deny rule in the RAM policy that is attached to the RAM user. As a result, the request is rejected.
Examples
For example, you use a RAM user that is attached with the following RAM policy to initiate a PutBucketReferer request on the mybucket
bucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PutBucketReferer"
],
"Resource": [
"acs:oss:*:*:mybucket"
]
}
]
}
The RAM policy includes a Deny rule to prevent the RAM user from calling the PutBucketReferer operation on the bucket. In this case, your request is rejected and the following output is returned:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AccessDenied</Code>
<Message>Access denied by bucket policy.</Message>
<RequestId>65AF5037***5347E6D09</RequestId>
<HostId>mybucket.oss-cn-hangzhou.aliyuncs.com</HostId>
<AccessDeniedDetail>
<PolicyType>AccountLevelIdentityBasedPolicy</PolicyType>
<AuthPrincipalOwnerId>10323***2056</AuthPrincipalOwnerId>
<AuthPrincipalType>SubUser</AuthPrincipalType>
<AuthPrincipalDisplayName>20587***54611</AuthPrincipalDisplayName>
<NoPermissionType>ExplicitDeny</NoPermissionType>
<AuthAction>oss:PutBucketReferer</AuthAction>
<EncodedDiagnosticMessage>AQIBIAAAACB1******WAaW7O7kNSJdFn5klF//79WvW+QLnFa1ZRhLyP6w7*****4oGB5vXTQZJmWh8tkIRG6vFf7gGLSp8vsVjGwF***Sb6kUQ==</EncodedDiagnosticMessage>
</AccessDeniedDetail>
<Bucket>dinary</Bucket>
<User>205871000474254611</User>
<EC>0003-00000201</EC>
<RecommendDoc>https://api.aliyun.com/troubleshoot?q=0003-00000201</RecommendDoc>
</Error>
Solutions
Check whether the request that you initiate matches the Deny rule in the RAM policy.
In addition, if the output contains the EncodedDiagnosticMessage field, you can copy the content of the field to the Troubleshoot page to troubleshoot the causes. This operation requires that your RAM account is granted the ram:DecodeDiagnosticMessage
permission.
If you do not have the permission, you can provide the content of this field to the account administrator. The account administrator can visit the Troubleshoot page to troubleshoot the causes and modify the authorization rules based on the diagnostic result.