Users are unable to create buckets in Tenant Object Storage Extension (OSE). The UI reports the error:

“This bucket name already exists.”

However, backend logs indicate an S3 authorization failure rather than an actual name-conflict issue.

/opt/vmware/voss/log/ose-pod.log indicates :

[XNIO-2 task-11] ERROR c.vmware.voss.resource.ResourceBase
- Request 4########################################## has failed.
com.a#######.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon
S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: 1################################;

VMware Cloud Director 10.6.x

Object Storage  Extension  (OSE 3.1.0-246734)

The S3 user being used by OSE does not have the required permissions in MinIO to perform bucket-related operations.

Missing or incorrect IAM policy assignment in MinIO results in the S3 API rejecting the call.

• Log in to the MinIO Web Console.

• Navigate to IAM → Policies.

• Ensure that a policy with readwrite privileges exists.
  This policy must include:

  • List bucket

  • Create bucket

  • Get bucket

  • Delete bucket

  • Object read/write operations

• Confirm that the IAM user configured in OSE is assigned this readwrite policy.

• After applying the correct policy, retry bucket creation from OSE.

OSE interacts with the S3 backend (MinIO) using the provided IAM user credentials.
If the IAM user does not have full "read" and "write" privileges for bucket operations, MinIO returns 403 Forbidden, which OSE incorrectly displays as a bucket-exists error.

This aligns with the repeated 403 errors seen in the server logs.