Setting an object's Access Control List (ACL) to public-read should make it accessible to everyone, including anonymous users. If anonymous users are still getting access errors, two bucket-level settings can prevent that access: pay-by-requester mode and bucket policies.
Why anonymous access fails
Pay-by-requester mode
When pay-by-requester mode is enabled on a bucket, anonymous access to that bucket is blocked—even if individual objects are set to public-read.
Pay-by-requester mode shifts traffic and request costs from the bucket owner to the requester. To charge the requester, OSS requires authentication information with every request. Because anonymous requests carry no authentication, OSS rejects them.
Bucket policies
A bucket policy can explicitly deny or restrict access for anonymous users. If such a policy exists, anonymous users cannot access the objects even if the object ACL is set to public-read.
Resolve the issue
Work through the following checks in order.
Step 1: Check pay-by-requester mode
Verify whether pay-by-requester mode is enabled on your bucket. If it is, choose one of the following options:
| Option | When to use | What to do |
|---|---|---|
| Generate a signed URL | Keep pay-by-requester enabled (you want requesters to bear costs) | As the bucket owner, generate a signed URL for the object. Anonymous users can access it via the signed URL without needing credentials. See How do I obtain the URL after uploading an object? |
| Disable pay-by-requester | Allow open anonymous access | Disable pay-by-requester mode on the bucket. See Set the pay-by-requester mode |
Step 2: Check bucket policies
Review the bucket policies on your bucket. If any policy denies or restricts anonymous user access, modify or delete that policy.
For instructions, see Use bucket policies to authorize other users to access OSS resources.
Applicable scope
OSS