DVC 403 / AccessDenied from S3, GCS, or Azure remote in CI
The remote returned 403 / AccessDenied: DVC reached S3, GCS, or Azure with credentials, but the identity behind them lacks permission on the bucket or prefix that holds the DVC cache. Unlike a missing-credentials 401, retrying will not help.
What this error means
dvc pull fails with an "AccessDenied" or "403 Forbidden" wrapped in "failed to pull data from the cloud". Public objects or other buckets may work while the DVC store does not.
ERROR: failed to pull data from the cloud - 3 files failed to download
An error occurred (403) when calling the HeadObject operation: ForbiddenCommon causes
The role or key lacks read on the store prefix
The IAM/GCS/Azure policy allows the account but not the specific bucket path where DVC keeps objects, so HeadObject/GetObject is denied.
Wrong bucket, region, or account for the OIDC role
The assumed role belongs to a different account or region than the remote URL, so every request is forbidden.
How to fix it
Grant read on the DVC store path
Extend the CI principal policy to read the exact bucket and prefix the remote points at.
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/dvcstore/*"
]
}Verify the remote URL matches the credentials
- Confirm
dvc remote listpoints at the bucket the role can access. - Check the region and account of the OIDC role match the remote.
- Re-run
dvc pullafter aligning them.
dvc remote list
dvc remote modify storage region us-east-1How to prevent it
- Scope the CI role to exactly the DVC store bucket and prefix.
- Keep the remote region and the credential region aligned.
- Test read access with a small
dvc pullin a pipeline smoke step.