An explicit Deny statement in a RAM policy blocked the request.
Problem description
Your request is denied because a RAM policy attached to the RAM user contains a Deny statement that matches the request.
Note: If the error response shows NoPermissionType: ImplicitDeny instead, no Allow statement exists for the action. See How do I troubleshoot an access denied error? for that case.Causes
OSS access denied errors fall into two types:
Explicit deny: A RAM policy contains a Deny statement for the specific action. The request is blocked regardless of any Allow statements.
Implicit deny: No Deny statement exists, but there is also no Allow statement for the action. The request is blocked by default.
Error code 0003-00000201 indicates an explicit deny. The RAM policy attached to the RAM user contains a Deny statement that matches the requested action on the bucket or object.
Examples
A RAM user with the following RAM policy attempts a PutBucketReferer request on mybucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": ["oss:PutBucketReferer"],
"Resource": ["acs:oss:*:*:mybucket"]
}
]
}The policy denies the PutBucketReferer action on mybucket. OSS rejects the request and returns:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AccessDenied</Code>
<Message>Access denied by bucket policy.</Message>
<RequestId>65AF5037***5347E6D09</RequestId>
<HostId>mybucket.oss-cn-hangzhou.aliyuncs.com</HostId>
<AccessDeniedDetail>
<PolicyType>AccountLevelIdentityBasedPolicy</PolicyType>
<AuthPrincipalOwnerId>10323***2056</AuthPrincipalOwnerId>
<AuthPrincipalType>SubUser</AuthPrincipalType>
<AuthPrincipalDisplayName>20587***54611</AuthPrincipalDisplayName>
<NoPermissionType>ExplicitDeny</NoPermissionType>
<AuthAction>oss:PutBucketReferer</AuthAction>
<EncodedDiagnosticMessage>AQIBIAAAACB1******WAaW7O7kNSJdFn5klF//79WvW+QLnFa1ZRhLyP6w7*****4oGB5vXTQZJmWh8tkIRG6vFf7gGLSp8vsVjGwF***Sb6kUQ==</EncodedDiagnosticMessage>
</AccessDeniedDetail>
<Bucket>dinary</Bucket>
<User>205871000474254611</User>
<EC>0003-00000201</EC>
<RecommendDoc>https://api.aliyun.com/troubleshoot?q=0003-00000201</RecommendDoc>
</Error>Key fields in the AccessDeniedDetail block:
| Field | What it tells you |
|---|---|
NoPermissionType | ExplicitDeny confirms a Deny statement blocked the request |
AuthAction | The exact OSS action that was denied (e.g., oss:PutBucketReferer) |
PolicyType | The policy type responsible: AccountLevelIdentityBasedPolicy means an account-level identity-based policy |
EncodedDiagnosticMessage | Encoded diagnostic data; decode it for a full root-cause analysis |
Solutions
Check whether the request matches the Deny rule in the RAM policy attached to the RAM user. Locate the Deny statement that matches the
AuthActionvalue in the error response.If the root cause is unclear, decode the
EncodedDiagnosticMessagefield for a detailed diagnosis. Required permission:ram:DecodeDiagnosticMessageon your Alibaba Cloud account.If you have this permission, copy the
EncodedDiagnosticMessagevalue and paste it into the Troubleshoot page.If you don't have this permission, provide the value to your account administrator. The administrator can open the Troubleshoot page, decode the message, and update the authorization rules based on the result.