When using Security Token Service (STS) to grant temporary access to OSS operations such as upload and download, you may encounter the following error:
ErrorCode: AccessDenied
ErrorMessage: Access denied by authorizer's policy.How it works
When your application calls STS to get a temporary token, it can pass an optional inline Policy parameter. The token's effective permissions are the intersection of two permission sets:
The RAM role's permissions (defined in RAM)
The inline
Policypassed in the STS token request
The inline Policy can only narrow the role's permissions — it cannot expand them. If the inline Policy omits an Allow statement for the action your code is trying to perform, the token is denied even if the RAM role allows it.
The following Java example shows where the Policy parameter is set in an STS token request:
Diagnose the error
The error Access denied by authorizer's policy indicates that the inline Policy in your STS token request is blocking the operation — not the RAM role itself. Identify which type of denial you have:
| Type | Cause | What to look for |
|---|---|---|
| Implicit denial | The inline Policy has no Allow statement for the required OSS action | A missing Allow in the Action list of your policy JSON |
| Explicit denial | The inline Policy has a Deny statement for the required OSS action | A Deny entry in your policy JSON |
Fix the policy
Identify the OSS API action your code is calling (for example, the action for uploads or the action for downloads).
Open the inline
PolicyJSON you pass when requesting the STS token.Confirm that the policy includes an
Allowstatement for the required action and resource.Verify that no
Denystatement in the same policy overrides theAllow.Confirm that the RAM role's own policy also grants the same action. The token cannot have permissions broader than the role.
For a complete list of OSS actions and the policy syntax for STS, see Use temporary access credentials provided by STS to access OSS.
Scope
OSS
Resource Access Management (RAM)