[英]AWS S3 Access Denied Error
I am getting access denied error when I try to open a file I have hosted on my S3 bucket. 尝试打开S3存储桶中托管的文件时,出现访问拒绝错误。
When my Django app tries to get the same file I get 403 Forbidden Error on my console. 当我的Django应用尝试获取相同的文件时,我的控制台上出现403 Forbidden Error。
I have made all the files public but still no luck. 我已经公开了所有文件,但还是没有运气。
I am getting this when I open a link to a file. 当我打开一个文件链接时,我得到了这个。
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>D4FCD94BD9DEE9F8</RequestId>
<HostId>
J9RtjMA4wk8kL4f+Ye/6XAQaXrfi9lz5HZ1tWRut8E5Qf/b8RAQbAF/fp3j2bep8Jfd+dtim/fs=
</HostId>
</Error>
My CORS Configuration is this 我的CORS配置是这个
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>Authorization</AllowedHeader>
</CORSRule>
</CORSConfiguration>
What should I do so that my static files get served properly ? 我应该怎么做才能使我的静态文件得到正确处理?
This is my bucket policy 这是我的水桶政策
{
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::****storage/*"
]
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::****storage",
"arn:aws:s3:::****storage/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::0084507*****:user/****"
]
}
}
]
}
The AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY in my settings.py are the ones I got for the user I created in AWS IAM management. 我的settings.py中的AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY是我为在AWS IAM管理中创建的用户所获得的。
It is really not documented well, but you need two access statements. 它确实没有很好地记录,但是您需要两个访问语句。
In addition to the statement allowing the things you actually want done (GetObject to "arn:aws:s3:::****storage/*"), you also need a statement that allows ListBucket to the bucket itself, "arn:aws:s3:::****storage". 除了允许您实际要做的事情的语句(GetObject为“ arn:aws:s3 ::: **** storage / *”)之外,还需要一个允许ListBucket进入存储桶本身的语句,“ arn: AWS:S3 ::: ****存储”。 Internally, the Aws client will try to list the bucket to determine it exists before doing its action.
在内部,Aws客户端将在执行操作之前尝试列出存储桶以确定其存在。
The docs are bad, so it seems to be a common flailing to just add more and more permissions until something bleeping works. 该文档是不好的,因此似乎越来越常见,只是添加越来越多的权限,直到某些事情发生。
With the second statement, it should look like: 在第二条语句中,它应类似于:
{
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::storage/*"
]
},
{
"Sid": "somethingElse",
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::storage",
],
"Principal": {
"AWS": [
"arn:aws:iam::0084507*****:user/****"
]
}
}
]
}
Note: If you're using IAM, you can skip the "Principal" part. 注意:如果使用的是IAM,则可以跳过“主体”部分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.