0003-00000203

Problem description

Your request was denied because both the bucket policy and the RAM policy contain an explicit Deny rule for the requested action. OSS denies the request only when both policies contain a matching Deny rule simultaneously.

Causes

The request matched a Deny rule in the bucket policy and a Deny rule in the RAM policy at the same time.

Examples

A RAM user attempts to delete objects whose names start with the /private/ prefix. Both of the following Deny rules apply:

• The bucket policy explicitly denies oss:DeleteObject on objects prefixed with /private/.

• The RAM policy of the RAM user also explicitly denies oss:DeleteObject on objects prefixed with /private/.

Because both policies contain a matching Deny rule, OSS returns the error.

Solutions

1. Open the bucket policy and check whether any rule denies the action for the requested resource. See bucket policy examples for reference.

2. Open the RAM policy attached to the RAM user or role and check whether any rule denies the same action. See common examples of RAM policies for reference.

3. If both policies contain a matching Deny rule, update at least one of them to remove or narrow the Deny rule so it no longer applies to the request.

References

• Bucket policy overview

• Bucket policy examples

• RAM policy overview

• Common examples of RAM policies