This topic describes the causes of errors returned with HTTP status code 403 and the solutions to these errors.
AccessDenied
The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint
Cause: The endpoint used to access the bucket is incorrect.
Solution: Make sure that you use the correct endpoint to access the bucket. For example, if you want to access a bucket in the China (Hangzhou) region (
oss-cn-hangzhou
), use the following public endpoint of the region:oss-cn-hangzhou.aliyuncs.com
. For more information about endpoints, see OSS domain names.
This request is forbidden by kms
Cause: You do not have the permissions to use Key Management Service (KMS).
Solution: Make sure that you have the permissions to use the customer master key (CMK). For more information, see Server-side encryption.
AccessDenied
Cause: You do not have the permissions to access the resources.
Solution:
Make sure that you use the correct AccessKey ID and AccessKey secret to access the resources. For more information, see Create an AccessKey pair.
Make sure that the RAM user has the permissions to perform operations on the bucket or the object that you want to manage.
You have no right to access this object
Cause: The RAM user that you use does not have the permissions to access the object.
Solution: Make sure that the RAM user that you use has the permissions to perform object-related operations. For more information about how to configure access permissions in different scenarios, see Tutorial: Use RAM policies to control access to OSS.
Anonymous user has no right to access this bucket
Cause: Anonymous users do not have the permissions to access the bucket.
Solution: Configure a bucket policy that grants anonymous users the permissions to access the bucket. For more information, see Configure bucket policies to authorize other users to access OSS resources.
Anonymous user has no right to access this object
Cause: Anonymous users do not have the permissions to access the object.
Solution: Configure a bucket policy that grants anonymous users the permissions to access specific resources in the bucket. For more information, see Configure bucket policies to authorize other users to access OSS resources.
You are denied by bucket referer policy
Cause: The domain name from which the request is initiated is not included in the Referer whitelist.
Solution: Configure a Referer whitelist for a bucket and specify whether to allow empty Referer fields. This way, only requests from the domain names that are included in the Referer whitelist can access the resources in the bucket. For more information, see Configure hotlink protection for a bucket.
Invalid according to Policy: Policy expired
Cause: The policy form field in the PostObject request is invalid.
Solution: Specify a valid value for the policy form field. The policy form field in a PostObject request is used to check the validity of the request. The value of the policy form field is a JSON string that is encoded in UTF-8 and Base64. This value specifies the conditions that must be matched for a PostObject request. The following code provides an example of the policy form field in a PostObject request:
{ "expiration": "2014-12-01T12:00:00.000Z", "conditions": [ {"bucket": "johnsmith" }, ["starts-with", "$key", "user/eric/"] ] }
For more information about the conditions that can be configured in the policy form field, see PostObject.
Invalid according to Policy: Policy Condition failed: " + RelatedUnit; //XXX
Cause: The conditions specified in the policy form field are invalid.
Solution: Make sure that the conditions specified in the policy form field are valid. For more information about the conditions that can be configured in the policy form field and how the conditions are matched, see PostObject.
Invalid according to Policy: Policy Condition failed: ["eq", "$Content-Type", "image/png"]
Cause: The type of the object that you want to upload does not match the specified Content-Type value.
Solution: The Content-Type header in Policy is used to limit the type of the object that you want to upload. If you set the Content-Type header to image/png, you can upload only objects of the IMAGE or PNG type. Set the Content-Type header to the type of the object that you want to upload. For more information about the valid values of the Content-Type header, see How do I configure the Content-Type header?
Target object does not reside in the same data center as source object
Cause: Objects cannot be copied across buckets in different regions.
Solution: Make sure that the source bucket and the destination bucket are in the same region. For more information, see CopyObject.
Query string authentication requires the Signature, Expires and OSSAccessKeyId parameters
Cause: The required parameters are not included in the signed URL.
Solution: Include the following parameters in the signed URL: Signature, Expires, and OSSAccessKeyId. Example:
http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?OSSAccessKeyId=nz2pc56s936**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv****
. For more information, see Add signatures to URLs.
Invalid date (should be seconds since epoch)
Cause: The value of the Expires parameter is invalid.
Solution: Specify a valid value for the Expires parameter. The Expires parameter specifies the point in time when the URL expires. The time follows the UNIX time format. It is the number of seconds that have elapsed since 00:00:00 Thursday, January 1, 1970. The time is in UTC.
Request has expired
Cause: The request expires.
Solution: Configure the Expires parameter based on your business requirements. For more information about how to configure the Expires parameter when you upload an object, see PutObject, PostObject, AppendObject, and InitiateMultipartUpload.
You do not have read permission on this object
Cause: You do not have read permissions on the object.
Solution: Contact the object owner to obtain read permissions on the object.
You do not have write permission on this object
Cause: You do not have write permissions on the object.
Solution: Contact the object owner to obtain write permissions on the object.
You do not have read acl permission on this object
Cause: You do not have read permissions on the access control list (ACL) of the object.
Solution: Contact the object owner to obtain the permissions to perform the GetObjectACL operation on the object.
You do not have write acl permission on this object
Cause: You do not have write permissions on the ACL of the object.
Solution: Contact the object owner to obtain the permissions to perform the PutObjectACL operation on the object.
You have no right to access this object because of bucket acl
Cause: You do not have the permissions to access the object.
Solution: Obtain the required permissions on the object, such as PutObject, GetObject, and AppendObject. For more information, see Common examples of RAM policies.
Anonymous access is forbidden for this operation
Cause: Anonymous users do not have the permissions to perform the operation.
Solution: Configure a bucket policy that grants anonymous users the permissions to access specific resources in the bucket. For more information, see Configure bucket policies to authorize other users to access OSS resources.
Access denied by bucket policy
Cause: The access to the bucket is denied by the bucket policy.
Solution: Configure bucket policies based on your business requirements. For more information, see Configure bucket policies to authorize other users to access OSS resources.
Access denied by VPC endpoint policy
Cause: A bucket policy is configured for a virtual private cloud (VPC). As a result, unauthorized buckets cannot be accessed in the VPC.
Solution: Check the bucket policy configured for the VPC.
Hierarchical namespace is disabled
Cause: The hierarchical namespace feature is not enabled for the bucket.
Solution: Enable the hierarchical namespace feature when you create a bucket and rename the directory or the object. For more information about the regions and scenarios in which the hierarchical namespace feature can be used, see Enable hierarchical namespace.
Access denied by authorizer's policy
Cause: You do not have the permissions to perform this operation.
Solution: The permissions of temporary access credentials that are obtained from Security Token Service (STS) are the overlapped permissions granted in Step 4 and Step 5 of the Use temporary credentials provided by STS to access OSS topic. Use the following examples to check the intersection of permissions that you configured in these two steps.
Example 1
In the following figure, A indicates the permissions of the RAM role, B indicates the permissions specified by the policy parameter, and C is the final permissions of the temporary access credentials.
Example 2
In the following figure, A indicates the permissions of the RAM role, and B indicates the permissions specified by the policy parameter. The permissions specified by the policy parameter are a subset of the permissions of the RAM role. Therefore, B is the final permissions of the temporary access credentials.
AccessForbidden
CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Requet-Headers are not whitelisted by the resource's CORS spec
Cause: Cross-origin resource sharing (CORS) is not configured for the bucket or the configured CORS rules are incorrect.
Solution: For more information, see Configure CORS.
PermanentRedirect
The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint
Cause: The endpoint is not specified or the incorrect endpoint is specified when you use OSS SDKs to access a bucket. For example, if you use the default endpoint
oss-cn-hangzhou.aliyuncs.com
to access a bucket that you created in the China (Qingdao) region, the error message is returned.Solution: Use the endpoint of the region in which the bucket is located to access the bucket. For example, if you want to access buckets in the China (Hangzhou) and China (Qingdao) regions, we recommend that you create an OSSClient instance for each region. Add
oss-cn-hangzhou.aliyuncs.com
to the OSSClient instance that you want to use to access the bucket in the China (Hangzhou) region andoss-cn-qingdao.aliyuncs.com
to the OSSClient instance that you want to use to access the bucket in the China (Qingdao) region.
SecondLevelDomainForbidden
The bucket you are attempting to access must be addressed using OSS third level domain
Cause: The domain name in the request is not a third-level domain name.
Solution: Include third-level domain names that contain information about buckets in all requests except the requests that you send to perform the GetService (ListBuckets) operation. The domain name used to access a bucket is in the
BucketName.Endpoint
format. BucketName specifies the name of the bucket and Endpoint specifies the endpoint of the region in which the bucket is located. Example:https://examplebucket.oss-cn-hangzhou.aliyuncs.com
.
Please use virtual hosted style to access
Cause: The URL that you used to access OSS is invalid.
Solution: Use a URL in the following format to access OSS resources over the Internet:
<Schema>://<Bucket>.<Public endpoint>/<Object>
. In the preceding URL, Schema specifies the protocol that is used to access the object, such as HTTP or HTTPS, Bucket specifies the name of the bucket in which the object that you want to access is stored, Public endpoint specifies the endpoint used to access the region in which the bucket is located, and Object specifies the path of the uploaded object that you want to access.For example, if you want to access an object named
example.txt
in the destfolder of the bucket named examplebucket in the China (Hangzhou) region, you can use the following URL:https://examplebucket.oss-cn-hangzhou.aliyuncs.com/destfolder/example.txt
.
NonStandardHostForbidden
Your host is invalid. Please use Open Storage Service standard host
Cause: The domain name used to access OSS is invalid.
Solution: Use a standard domain name to access OSS resources. For more information, see OSS domain names.
KmsUbsmsInvalidBid
Your account partner does not have KMS Service
Cause: KMS is not activated.
Solution: Activate KMS before you use the SSE-KMS method to encrypt data in OSS. For more information, see Purchase a dedicated KMS instance.
KmsInDebt
Current user is indebted
Cause: Your Alibaba Cloud account has overdue payments. A notification is sent to you and your access to KMS is denied.
Solution: Make sure that your Alibaba Cloud account does not have overdue payments when you use KMS.
WORMConfigurationLocked
The WORM Configuration is locked
Cause: You attempt to delete a locked retention policy.
Solution: Do not delete a locked retention policy. Locked retention policies cannot be deleted. The protection period specified by the retention policy cannot be shortened but can be extended. For more information, see Retention policies.
BucketNotBelongTo
The bucket you access does not belong to you
Cause: You are not the owner of the bucket.
Solution: Make sure that you are the bucket owner before you perform the operation. Only the bucket owner can perform the operation.
InvalidAccessKeyId
The OSS Access Key Id you provided is disabled
Cause: The AccessKey ID is disabled.
Solution: Enable the AccessKey pair.
The OSS Access Key Id you provided does not exist in our records
Cause: The AccessKey pair becomes invalid after the temporary access credentials expire.
Solution: Use the AccessKey pair to apply for new temporary access credentials from the app server. For more information, see Use temporary credentials provided by STS to access OSS.
The OSS Access Key Id contains non-acceptable characters, which accepts only alphanumeric characters[0-9a-zA-Z] and several special characters[._=]
Cause: The AccessKey ID is invalid.
Solution: Enter the AccessKey ID of a RAM user or your Alibaba Cloud account. For more information, see Create an AccessKey pair.
SignatureDoesNotMatch
The request signature we calculated does not match the signature you provided
Cause: When you call an API operation or use an OSS SDK to access OSS, the client must include a signature for the OSS server to perform identity authentication. If the server returns the preceding error message, the signature that you provided in the request is inconsistent with the signature calculated by the server. As a result, the request is rejected.
Solution: Perform the following steps to troubleshoot the error:
Check whether the AccessKey ID and AccessKey secret are valid.
You can use the AccessKey ID and AccessKey secret to log on to ossbrowser to check whether the AccessKey ID and AccessKey secret are valid. For more information, see Install and log on to ossbrowser.
Check whether the signature algorithm is valid.
OSS provides two request methods that can include signatures. For more information, see Include signatures in the Authorization header and Add signatures to URLs. The following items describe the algorithms for the two signature methods:
Include signatures in the Authorization header
StringToSign = VERB + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedOSSHeaders + CanonicalizedResource Signature = base64(hmac-sha1(AccessKeySecret, StringToSign)
Add signatures to URLs
StringToSign = VERB + "\n" + CONTENT-MD5 + "\n" + CONTENT-TYPE + "\n" + EXPIRES + "\n" + CanonicalizedOSSHeaders + CanonicalizedResource Signature = urlencode(base64(hmac-sha1(AccessKeySecret, StringToSign)))
We recommend that you use OSS SDKs to access OSS. This eliminates the need to manually calculate the signature. For more information, see Overview.
Check whether the value of the
StringToSign
field in the response body is consistent with that in the request.The
StringToSign
field specifies the string to be signed, which is the content that needs to be encrypted by using the AccessKey secret in the signature algorithm.Examples:
PUT /bucket/abc?acl Date: Wed, 24 May 2023 02:12:30 GMT Authorization: OSS qn6q**************:77Dv**************** x-oss-abc: mymeta
The string to be signed calculated by using the preceding method:
PUT\n\n\nWed, 24 May 2023 02:12:30 GMT\nx-oss-abc:mymeta\n/bucket/abc?acl
TransferAccelerationDisabled
Transfer acceleration is disabled
Cause: Transfer acceleration is disabled.
Solution: Enable transfer acceleration if you want to accelerate remote data transfer, accelerate the upload and download of objects of gigabytes or terabytes in size, and accelerate the download of non-static and non-hot data. For more information, see Enable transfer acceleration.
InvalidSecurityToken
The security token you provided is invalid
Cause: The temporary access credentials used to access OSS are invalid.
Solution: For information about how to fix the error, see Use temporary credentials provided by STS to access OSS.
AccessKeyIdAndSecurityTokenNotMatch
The OSS access key id and security token you provided does not match
Cause: The AccessKey pair provided by the user does not match the temporary access credentials used to access OSS.
Solution: For information about how to fix the error, see Use temporary credentials provided by STS to access OSS.
SecurityTokenExpired
The security token you provided has expired
Cause: The temporary access credentials used to access OSS expired.
Solution: Send a request to obtain new temporary access credentials from STS.
AbnormalBucketOwnerStatus
The status of the bucket owner is abnormal
Cause: The service is not available for the bucket owner.
Solution: Check whether the Alibaba Cloud account of the bucket owner is canceled, restricted due to security reasons, or suspended due to overdue payments.
SecurityTokenNotSupported
This interface does not support security token
Cause: The current operation cannot be called by users who have only temporary access credentials.
Solution: Use other methods instead of STS tokens to grant the required permissions to users to access your buckets. You can use STS tokens to grant the permissions only to specific users for temporary access to OSS resources. For more information about authorization methods, see Overview.
Security token is not supported in this region
Cause: STS tokens are not supported in the current region.
Solution: Use methods other than STS tokens to grant users the permissions to access your buckets. For more information about the regions that support STS tokens, see Endpoints.
RequestTimeTooSkewed
The difference between the request time and the current time is too large
Cause: The time when the request is initiated is at least 15 minutes earlier than the current time of the OSS server.
Solution: Check the system time of the device used to send the request and change the system time based on your time zone.
You can change the system time of the device that you use to send the request based on the following guidelines:
OSS uses Greenwich Mean Time (GMT) as the system time. Therefore, the system time of your device must be set to GMT or a time zone relative to GMT. For example, GMT+00:00 is a time zone relative to GMT.
To check the time zone of your device that runs Windows, choose
.For example, if the Time Zone column displays +08:00, your device is in the GMT+08:00 time zone.
To check the time zone of your device that runs Linux or UNIX, run the date -R command.
In the following figure, +0800 indicates that the device is in the GMT+08:00 time zone.
You can use OSS in multiple regions. OSS uses GMT as the system time in all regions. Therefore, the system time of your device used to send requests must also be in GMT.
ImageDamage
The image file may be damaged
Cause: The image cannot be identified or processed due to damaged or missing data.
Solution: Make sure that the image is not damaged. If the image is damaged, reupload the image.
UserDisable
UserDisable
Causes:
Your account is disabled due to overdue payments or security reasons.
OSS is not activated.
Solutions:
Check whether your account has overdue payments or contact technical support to perform a security check.
Activate OSS.
BucketDisable
BucketDisable
Cause: The bucket is disabled due to security reasons.
Solution: Check whether your account has overdue payments or contact technical support to perform a security check.
CnameDenied
The cname belongs to another user
Cause: The domain name is mapped to another bucket.
Solution: Use another domain name or verify the ownership of the domain name and forcibly map the domain name to the bucket. If you forcibly map the domain name to the bucket, the domain name is unmapped from the previous bucket. For more information, see Map custom domain names.
InvalidObjectState
The operation is not valid for the object's state
Cause: If one of the following conditions is met, the state of an Archive object becomes invalid:
The RestoreObject request sent for the object timed out or was not initiated.
The RestoreObject request sent for the object was initiated but the object was not restored.
Solution: For information about how to fix the error, see RestoreObject.