Problem description
The request is denied by the policy that is configured for the security token generated by Security Token Service (STS).
Causes
The policy parameter in the code for obtaining the security token from STS causes a permission problem.
Examples
For example, in the following Java sample code for obtaining a security token, the policy parameter specifies the permissions associated with the security token. The actual permissions applied to the security token is the intersection of the role permissions and the permissions in the policy parameter in the code for obtaining the security token:
Solutions
Check the permissions specified in the policy parameter specified in the OSS API operation. For more information, see Use temporary credentials provided by STS to access OSS. The actual permissions that are applied to a security token is the intersection of role permissions granted in Step 4: Grant the role permissions to upload objects to OSS and the permissions specified by the policy parameter in Step 5: Obtain temporary access credentials. Use the following examples to check the intersection of the permissions you configured in these two steps.
Example 1
If the role permission configured in Step 4 is the
AliyunOSSFullAccesssystem permission and theoss:PutObjectpermission is configured in Step 5, the temporary access credentials finally obtain theoss:PutObjectpermission. In this case, you can only upload objects to the specified bucket.Example 2
If the role permission configured in Step 4 is the
oss:PutObjectsystem permission and theoss:GetObjectpermission is configured in Step 5, the temporary access credentials cannot obtain any permissions and no operations can be performed on the specified bucket.