All Products
Search

This Product

    Object Storage Service:0003-00000201

    Document Center

    Object Storage Service:0003-00000201

    Last Updated:Feb 22, 2024

    Problem description

    Your request is denied by a RAM policy.

    Causes

    You initiated a request to access a bucket or an object by using a RAM user. The request matches a Deny rule in the RAM policy that is attached to the RAM user. As a result, the request is rejected.

    Examples

    For example, you use a RAM user that is attached with the following RAM policy to initiate a PutBucketReferer request on the mybucket bucket:

    {
  "Version": "1",
  "Statement": [
        {
         "Effect": "Deny",
         "Action": [
           "oss:PutBucketReferer"
         ],
         "Resource": [
           "acs:oss:*:*:mybucket"
         ]
     }
   ]
}

    The RAM policy includes a Deny rule to prevent the RAM user from calling the PutBucketReferer operation on the bucket. In this case, your request is rejected and the following output is returned:

    <?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>AccessDenied</Code>
  <Message>Access denied by bucket policy.</Message>
  <RequestId>65AF5037***5347E6D09</RequestId>
  <HostId>mybucket.oss-cn-hangzhou.aliyuncs.com</HostId>
  <AccessDeniedDetail>
    <PolicyType>AccountLevelIdentityBasedPolicy</PolicyType>
    <AuthPrincipalOwnerId>10323***2056</AuthPrincipalOwnerId>
    <AuthPrincipalType>SubUser</AuthPrincipalType>
    <AuthPrincipalDisplayName>20587***54611</AuthPrincipalDisplayName>
    <NoPermissionType>ExplicitDeny</NoPermissionType>
    <AuthAction>oss:PutBucketReferer</AuthAction>
    <EncodedDiagnosticMessage>AQIBIAAAACB1******WAaW7O7kNSJdFn5klF//79WvW+QLnFa1ZRhLyP6w7*****4oGB5vXTQZJmWh8tkIRG6vFf7gGLSp8vsVjGwF***Sb6kUQ==</EncodedDiagnosticMessage>
  </AccessDeniedDetail>
  <Bucket>dinary</Bucket>
  <User>205871000474254611</User>
  <EC>0003-00000201</EC>
  <RecommendDoc>https://api.aliyun.com/troubleshoot?q=0003-00000201</RecommendDoc>
</Error>

    Solutions

    Check whether the request that you initiate matches the Deny rule in the RAM policy.

    In addition, if the output contains the EncodedDiagnosticMessage field, you can copy the content of the field to the Troubleshoot page to troubleshoot the causes. This operation requires that your RAM account is granted the ram:DecodeDiagnosticMessage permission.

    If you do not have the permission, you can provide the content of this field to the account administrator. The account administrator can visit the Troubleshoot page to troubleshoot the causes and modify the authorization rules based on the diagnostic result.

    References