Problem description
A batch operation request fails with an access denied error because it matches an explicit Deny rule in the bucket policy or the RAM policy attached to the requester.
Causes
OSS evaluates both bucket policies and RAM policies before processing any request. If a policy contains an explicit Deny statement that matches the request — based on the action, resource, or conditions — OSS rejects the request immediately, regardless of any Allow rules that may also apply.
This differs from an implicit denial, where a request is rejected because no Allow rule covers it. An explicit Deny always takes precedence over any Allow.
Examples
A RAM user attempts to delete objects whose names start with /private/. The RAM policy attached to that user contains an explicit Deny for oss:DeleteObject on objects under the /private/ prefix. OSS matches the request against this rule and denies it.
Solutions
Check whether the request matches a Deny rule in the bucket policy, the RAM policy, or both, then update the policy to remove or narrow the rule.
Check the bucket policy
Log in to the OSS console.
In the left navigation pane, click Buckets, then click the name of the target bucket.
Go to Permissions > Bucket Policy.
Review each
Denystatement. Check whether theAction,Resource, andConditionfields match the failed request.Update the policy to remove or restrict the
Denyrule.
For more information, see Bucket policies and Common examples of bucket policy.
Check the RAM policy
Log in to the RAM console.
In the left navigation pane, go to Identities > Users, then click the name of the RAM user that initiated the request.
On the Permissions tab, find the policies attached to the user.
Click each policy to view its content. Look for
Denystatements that match the failed action and resource.Update the policy to remove or restrict the
Denyrule.
For more information, see RAM policies and Common examples of RAM policies.