Problem description
Your request to get the access control list (ACL) of an object was rejected because the request is unsigned, the AccessKey credentials are invalid, or the caller lacks the GetObjectAcl permission.
Causes
The request carries no
Authorizationheader. OSS treats unsigned requests as anonymous, and anonymous users cannot callGetObjectAcl.The AccessKey ID or AccessKey secret is invalid or has been deleted.
The caller — a RAM user or RAM role — has not been granted the
oss:GetObjectAclpermission on the target bucket or object.
Examples
The following request has no Authorization header and triggers this error:
GET /?acl HTTP/1.1
Date: Tue, 20 Dec 2022 08:48:18 GMT
Host: BucketName.oss-example-endpoint.aliyuncs.comA correctly signed request includes an Authorization header:
GET /?acl HTTP/1.1
Date: Tue, 20 Dec 2022 08:48:18 GMT
Host: BucketName.oss-example-endpoint.aliyuncs.com
Authorization: OSS <AccessKeyId>:<Signature>Solutions
Apply the fix that matches your cause:
No signature: Sign the request using the AccessKey pair of the bucket owner or a RAM user authorized to call
GetObjectAcl. For details on constructing theAuthorizationheader, see Include signatures in the Authorization header.Invalid AccessKey: Log in to the Alibaba Cloud console and confirm that the AccessKey pair exists and is enabled.
Missing permission: Grant the
oss:GetObjectAclaction to the caller through a RAM policy or a bucket policy. The caller must be the bucket owner or a RAM user or RAM role explicitly authorized to performGetObjectAcl. For details on authorization options, see Overview.