Object Storage Service:HTTP 403 errors

Cause: The service is unavailable to the owner of the target bucket.

Solution: Check whether the bucket owner's Alibaba Cloud account has been deleted or restricted for security reasons. Also confirm whether the service has been suspended due to overdue payments.

Cause: You do not have the required permissions to perform the operation.

Solution: The final permissions of an STS token are the intersection of the RAM role's permissions (configured in Step 4) and the permissions in the STS policy (configured in Step 5). Use the following examples to check the intersection.

• Example 1: A represents the RAM role permissions, B represents the STS policy permissions, and C (the overlap) represents the final effective permissions.

• Example 2: The STS policy permissions (B) are a subset of the RAM role permissions (A). Therefore, B represents the final effective permissions.

Cause: Access is denied by the bucket policy.

Solution: Update the bucket policy to grant the required permissions. For more information, see Configure bucket policies to authorize other users to access specified resources.

Cause: A VPC endpoint policy configured for the client's VPC is blocking the request.

Solution: Check and update the endpoint policy for the VPC where the client resides.

Cause: The credentials used do not have the required permissions.

Solution:

• Verify that the AccessKey ID and AccessKey secret are correct. For more information, see Create an AccessKey pair.

• Verify that the RAM user has the required permissions on the bucket or object.

Cause: The operation requires authentication, but the request was sent without credentials.

Solution: Configure a bucket policy to grant anonymous users access to the specific resources they need. For more information, see Configure bucket policies to authorize other users to access specified resources.

Cause: Anonymous users are not permitted to access this bucket.

Solution: Configure a bucket policy to grant anonymous users the required access. For more information, see Configure bucket policies to authorize other users to access specified resources.

Cause: Anonymous users are not permitted to access this object.

Solution: Configure a bucket policy to grant anonymous users access to the specific resources they need. For more information, see Configure bucket policies to authorize other users to access specified resources.

Cause: The hierarchical namespace feature is not enabled for the bucket. Renaming directories and files requires this feature.

Solution: Enable hierarchical namespace when creating the bucket. For supported regions and applicable scenarios, see Enable the hierarchical namespace feature.

Cause: The conditions in the policy form field are invalid.

Solution: Specify valid conditions in the policy form field. For supported conditions and matching methods, see Appendix: Post Policy.

Cause: The file type does not match the Content-Type value specified in the policy.

Solution: The Content-Type field in a PostObject policy restricts which file types can be uploaded. If the policy limits uploads to image/png, only files of that type are accepted. To allow other types, add the corresponding Content-Type values to the policy. For a list of common Content-Type values, see How do I set Content-Type (MIME)?.

Cause: The policy in the PostObject request has expired.

Solution: The policy form field contains a Base64-encoded, UTF-8 JSON object that declares the conditions the request must satisfy, including an expiration time. Make sure the expiration value has not passed. The format is:

  {
    "expiration": "2014-12-01T12:00:00.000Z",
    "conditions": [
      {"bucket": "johnsmith"},
      ["starts-with", "$key", "user/eric/"]
    ]
  }

For more information about supported conditions, see Appendix: Post Policy.

Cause: The Expires parameter value is not a valid Unix timestamp.

Solution: Set Expires to a Unix timestamp — the number of seconds elapsed since 00:00:00 UTC on January 1, 1970. This value specifies when the URL expires.

Cause: The signed URL is missing one or more required parameters.

Solution: A signed URL must include at least Signature, Expires, and OSSAccessKeyId. Example:

  http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?OSSAccessKeyId=nz2pc56s936**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv****

For more information, see Include a signature in a URL.

Cause: The Expires value in the request has already passed.

Solution: Set a valid Expires value for the request. For details on setting Expires in upload requests, see PutObject, PostObject, AppendObject, and InitiateMultipartUpload.

Cause: Cross-region object copy is not supported.

Solution: Objects can only be copied between buckets in the same region. The source and destination buckets can be the same or different. For more information, see CopyObject.

Cause: The endpoint used in the request does not match the bucket's region.

Solution: Use the correct endpoint for the bucket's region. For example, a bucket in the oss-cn-hangzhou region has the public endpoint oss-cn-hangzhou.aliyuncs.com. For a full list of endpoints, see Access OSS over IPv6.

Cause: The credentials used do not have permission to use the specified Key Management Service (KMS) customer master key (CMK).

Solution: Make sure the credentials have the required permissions for the CMK ID. For more information, see Server-side encryption.

Cause: The request's Referer header did not pass the bucket's hotlink protection check.

Solution: Hotlink protection restricts access by validating the Referer header against a whitelist of allowed domain names, and optionally blocking requests with an empty Referer. Add the required domain to the Referer whitelist. For more information, see Configure hotlink protection.

Cause: The credentials used do not have permission to read the object's access control list (ACL).

Solution: Contact the object owner to grant the GetObjectACL permission.

Cause: The credentials used do not have read permission on the object.

Solution: Contact the object owner to grant read permission.

Cause: The credentials used do not have permission to update the object's ACL.

Solution: Contact the object owner to grant the PutObjectACL permission.

Cause: The credentials used do not have write permission on the object.

Solution: Contact the object owner to grant write permission.

Cause: The RAM user does not have permission to access this object.

Solution: Grant the RAM user the required permissions for the object. For examples of common RAM policies for different access scenarios, see Tutorial: Use RAM policies to control access to OSS.

Cause: The bucket ACL does not allow the requested operation on this object.

Solution: Grant the required OSS permissions, such as PutObject, GetObject, and AppendObject. For common RAM policy examples, see Common examples of RAM policies.

Cause: CORS is not configured for the bucket, or the existing CORS configuration does not allow this request's origin, method, or headers.

Solution: Configure CORS rules for the bucket. For more information, see Configure cross-origin resource sharing.

Cause: The AccessKey pair provided by the user does not match the STS token.

Solution: For more information, see Use an STS token to access OSS.

Cause: The bucket is disabled for security reasons.

Solution: Check whether your account has overdue payments, or contact technical support for a security review.

Cause: The current user is not the owner of the target bucket.

Solution: Only the bucket owner can perform this operation.

Cause: The domain name is already bound to another bucket.

Solution: Either use a different domain name, or verify ownership of the domain name to reassign it to your bucket. Verifying ownership unbinds it from the other bucket. For more information, see Bind a custom domain name.

Cause: The image file is missing data or is corrupted.

Solution: Verify the integrity of the source file. If damaged, re-upload the original file from your local storage.

Cause: The AccessKey ID contains unsupported characters.

Solution: Re-enter the correct AccessKey ID. Valid characters are alphanumeric [0-9a-zA-Z] and the special characters [._=]. For more information, see Create an AccessKey pair.

Cause: The temporary access credential (STS token) has expired, making the associated AccessKey ID invalid.

Solution: Request a new temporary access credential from the app server using a valid AccessKey pair. For more information, see Obtain a temporary access credential.

Cause: The AccessKey ID has been disabled.

Solution: Re-enable the AccessKey pair.

Cause: Downloading an Archive object failed because of one of the following reasons:

• A RestoreObject request was never submitted, or the previous RestoreObject request timed out.

• A RestoreObject request was submitted, but the restore operation is not yet complete.

Solution: Submit a RestoreObject request and wait for the restore to complete before attempting the download. For more information, see RestoreObject.

Cause: The STS token is invalid.

Solution: For more information, see Use an STS token to access OSS.

Cause: OSS access is suspended because the account has an outstanding balance.

Solution: Pay the outstanding balance on your Alibaba Cloud account to restore access.

Cause: An OSS payment is overdue.

Solution: Pay the overdue amount to restore access.

Cause: KMS is not activated. Server-side encryption with KMS-managed keys (SSE-KMS) requires KMS to be active.

Solution: Activate KMS before using SSE-KMS to encrypt OSS data. For more information, see Activate KMS.

Cause: The request host does not match the standard OSS domain name format.

Solution: Use the standard OSS domain name format. For more information, see Access OSS over IPv6.

Cause: The SDK request uses no endpoint or an incorrect endpoint. For example, the bucket is in the China (Qingdao) region but the request uses the default endpoint oss-cn-hangzhou.aliyuncs.com.

Solution: Use the endpoint that matches the bucket's region. For buckets in different regions, create a separate OSS client for each region with the correct endpoint. For example, use oss-cn-hangzhou.aliyuncs.com for China (Hangzhou) and oss-cn-qingdao.aliyuncs.com for China (Qingdao).

Cause: The request was sent more than 15 minutes before or after the current time on the OSS server.

Solution: Check and correct the system time on the device that sends the request. OSS uses Greenwich Mean Time (GMT), also known as Coordinated Universal Time (UTC). Make sure the device clock is synchronized with a reliable time source.

• Windows: Go to Control Panel > Clock, Language, and Region > Set the time and date. The time zone displayed (for example, +08:00) indicates the offset from UTC.

• Linux or Unix: Run date -R to view the current time and time zone. In the following example, +0800 indicates UTC+8.

Cause: The request uses an incorrect host format instead of the required virtual-hosted style.

Solution: Use the virtual-hosted style URL format: <Schema>://<Bucket>.<Public Endpoint>/<Object>, where Schema is HTTP or HTTPS, Bucket is your bucket name, Public Endpoint is the endpoint for the region, and Object is the path of the file in OSS. Example: https://examplebucket.oss-cn-hangzhou.aliyuncs.com/destfolder/example.txt

Cause: The request domain name is not a third-level domain name containing the bucket name.

Solution: All OSS requests (except GetService/ListBuckets) must use third-level domain names in the format BucketName.Endpoint. Example: https://examplebucket.oss-cn-hangzhou.aliyuncs.com

Cause: The STS token's validity period has passed.

Solution: Request a new STS token from the STS service and retry the operation.

Cause: The region does not support STS token authentication.

Solution: Check which regions support STS tokens. For more information, see Endpoints.

Cause: The API operation cannot be called with STS token credentials.

Solution: STS tokens are intended for temporarily granting specific users access to OSS resources. For other authorization scenarios, see Access control overview to select an appropriate authorization method.

Cause: The signature in the request header or URL does not match the server's calculation. The request is rejected.

Solution: Follow these steps to identify the mismatch.

1. Verify the AccessKey ID and AccessKey secret. Log in to ossbrowser with the same credentials to confirm they are valid.

2. Check the signature algorithm. OSS supports two signing methods: To avoid manual signature calculation, use an Alibaba Cloud SDK. For more information, see Use an Alibaba Cloud SDK to initiate a request.

   • Signature in the request header:

     StringToSign = VERB + "\n"
                         + Content-MD5 + "\n"
                         + Content-Type + "\n"
                         + Date + "\n"
                         + CanonicalizedOSSHeaders
                         + CanonicalizedResource
     Signature = base64(hmac-sha1(AccessKeySecret, StringToSign))

   • Signature in the URL:

     StringToSign = VERB + "\n"
                         + CONTENT-MD5 + "\n"
                         + CONTENT-TYPE + "\n"
                         + EXPIRES + "\n"
                         + CanonicalizedOSSHeaders
                         + CanonicalizedResource
     Signature = urlencode(base64(hmac-sha1(AccessKeySecret, StringToSign)))

3. Compare the StringToSign values. The StringToSign field indicates the string-to-sign — the content that needs to be encrypted using the AccessKey secret in the signature algorithm. Compare it with the string-to-sign your client computed to find the discrepancy.

   Example request:

   PUT /bucket/abc?acl
   Date: Wed, 24 May 2023 02:12:30 GMT
   Authorization: OSS qn6q**************:77Dv****************
   x-oss-abc: mymeta

   Expected string-to-sign for this request:

   PUT\n\n\nWed, 24 May 2023 02:12:30 GMT\nx-oss-abc:mymeta\n/bucket/abc?acl

Cause: The region where the bucket is located does not support the transfer acceleration feature.

Solution: Contact technical support to resolve this issue.

Causes:

• The account has an overdue payment or is disabled for security reasons.

• The OSS service is not activated on the account.

Solutions:

• Check whether the account has overdue payments, or contact technical support for a security review.

• Activate the OSS service.

Cause: An attempt is made to delete a retention policy after it is locked.

Solution: After a retention policy is locked, it cannot be deleted and its retention period cannot be shortened. You can only extend the retention period. For more information, see Retention policies.