Customers Receive 403 Error When Opening Email Attachments

Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.

Summary

Customers may encounter error 403 (forbidden) when accessing an attachment from an email notification. The notification is likely sent via automation, and the user does not have internal access to view the attachment using the link.

Diagnosis

When attempting to open an attachment link, one of the two errors appears:

  • User authenticated:Encountered a "403 - Forbidden" error while loading this page.

  • User not authenticated: {"errorMessages":["You do not have permission to view attachment with id: XXXXX"],"errors":{}}

Cause

The attachment link comes from an automation smart value

The link is generated using the Jira Automation {{attachment}} smart value. This allows agents to access some file attributes, like an attachment's name, URL, size, type, and author.

Although the smart value has an attribute containing the file URL ({{attachment.content}}), which allows it to be used as a link to send in an email notification, opening this link does not always work as expected.

The smart value link can only be accessed by licensed users, and in most cases, Jira Service Management customers don't have a product license. Hence, they can't open the attachment link.

Solution

Different attachment URLs

Let's compare the URL provided by the smart value against a proper URL where customers can download the attachments:

Smart value URL:

https://<instance_name>.atlassian.net/rest/api/2/attachment/content/<attachment_id>

✔️ Customer attachment URL:

https://<instance_name>.atlassian.net/servicedesk/customershim/secure/attachment/<attachment_id>/<attachment_name>?fromIssue=<issue_id>

Note that the smart value URL has attributes that store everything we need to create the same structure as the customer attachment URL, allowing us to do the following:

Add attachments as a comment in requests

  1. Go to Project settings > Automation > Create rule.

  2. Configure a rule where:

    1. Select the desired trigger.

    2. Add an Action: Comment on work item. Add the following smart value to it:

      {{#attachment}} !{{filename}}! {{/}}

  3. Create a variable (example: {{requestattach}}) with the following structure:

    <ul> {{#issue.attachment}} <li> <a href="{{content.replaceAll("(.*)(rest\/api\/2\/.*\/)(\d{5,})","$1servicedesk/customershim/secure/attachment/$3/")}}{{filename}}?fromIssue=replaceme">{{filename}}</a> </li> {{/issue.attachment}} </ul>

  4. Create another variable (example: {{issueId}}) with the following structure:

    {{issue.id}}

  5. Now, on the Send Email action, call the variable with the following function to replace the replacement text with the second variable issueId:

    {{requestattach.replace("replaceme",issueId)}}

Variable names are case-sensitive, if your email didn't work, check if your variables match case in all rule components.

Users must see the respective attachments on the request on the Portal to open the attachment links. This means:

  • The user must be authenticated in the Portal.

  • They also must be able to see the request where the attachment pertains to on the Portal by being:

    • Reporter

    • Request Participant

    • Member of an Organization which the request was shared with

  • Last but not least, the attachment should be visible to the user through a comment in the request 

Updated on May 6, 2025
Platform
Cloud only
Product
Jira Service Management Cloud
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community