Why Can't I Access OBS (403 AccessDenied) After Being Granted with the OBS Access Permission?

Problem Description

By configuring IAM permissions, bucket policies, or bucket ACLs, you have been granted the permissions needed to access OBS. However, when you try to access OBS, the error message Access denied or 403 AccessDenied is displayed.

Problem Analysis

Possible causes are described here in order of how likely they are to occur. To locate the root cause as fast as possible, go through the list in order, from most likely to least.

If the fault persists after a possible cause is rectified, move down the list to the next most likely cause.

Note

Table 1 Problem Analysis
Possible Cause	Solution
The permissions did not take effect due to IAM caching.	Due to data caching, it can take about 10 to 15 minutes for a new IAM permission configuration to take effect. Try again in 10 to 15 minutes.
An incorrect account or access key (AK or SK) was used to access OBS.	If you do not have the permissions needed to access OBS, the login information, such as the account or AK/SK used was likely incorrect. Incorrect use of AK/SK is more common. For example, you may be using an AK/SK or password for a different account. Confirm the login credentials with the resource owner.
The permissions were incorrectly configured.	For details, see Checking Whether Permissions Are Correctly Configured.
URL validation was configured.	Modify the Referer field in the whitelist or blacklist by referring to Configuring URL Validation.

Checking Whether Permissions Are Correctly Configured

OBS provides multiple mechanisms for permissions management, and in some scenarios there may be dependencies involved. If you cannot access OBS, contact the person who assigned the permissions (usually the resource owner) to check whether the permissions were configured correctly. There are two critical elements to check: Resources (which resources access is granted to) and Actions (authorized operations). For commonly seen mistakes, see Table 2. If Condition is configured in the IAM permission or bucket policy, check whether the specified rules are met.

Table 2 Commonly seen mistakes in configuring Resources and Actions
Type	Common Mistake
Resources	You were granted access to a given bucket but tried to access a different bucket. You were granted access to a bucket but not to the objects in that bucket. You were granted access to view a bucket but not to perform any operations (for example, listing objects in the bucket). You were only granted access to certain objects in a bucket but tried to access other objects.
Actions	Actions configured incorrectly: For example, the download permission (GetObject) may have been mistakenly assigned instead of the upload permission (PutObject). Required actions are missing from the configuration: Some permissions required by OBS Console and OBS Browser+ for other actions are often ignored. The most often ignored actions are ListAllMyBuckets and ListBucket, which are needed for viewing a list of the buckets and of the objects in those buckets. Typical examples are described in: Why Is the Message "Access denied" Still Appearing After OBS System Permissions Were Assigned by IAM? Why Does Message "Access denied" Appear After I Was Granted the Read and Write Permissions for a Bucket?

Checking IAM permissions

On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
On the Users page, search for the name of the user that could not access OBS. Click the name to check which user group the user belongs to.
On the User Groups page, search for the user group to which the user belongs. In the Operation column of the user group, click Manage Permissions to see which IAM permissions have been granted.

Checking the bucket policy

In the service list, choose Storage > Object Storage Service.
In the bucket list, search for the bucket that fails to be accessed and click the bucket name. The Objects page is displayed.
In the navigation pane, choose Permissions > Bucket Policies to view the configured bucket policies.

Checking the bucket ACL

In the service list, choose Storage > Object Storage Service.
In the bucket list, search for the bucket that fails to be accessed and click the bucket name. The Objects page is displayed.
In the navigation pane, click Permissions. The Bucket Policies tab page is displayed. Then go to the Bucket ACLs page to view the configured bucket ACLs.

Checking the object ACL

In the service list, choose Storage > Object Storage Service.
In the bucket list, search for the bucket that fails to be accessed and click the bucket name. The Objects page is displayed.
In the object list, search for the object that fails to be accessed and click the object name. On the page that is displayed, view the object ACL configuration on the Object ACL tab.

Parent topic: Access Control

Предыдущая статья

Why Does Message "Access denied" Appear After I Was Granted the Read and Write Permissions for a Bucket?

Следующая статья

How Do I Control Access to Folders in an OBS Bucket?

Была ли эта статья полезна?

Поддержка Юридические документы