AWS Elastic Beanstalk Python Django S3 访问被拒绝无法上传/读取文件
[英]AWS Elastic Beanstalk Python Django S3 Access Denied cannot upload / read file
问题描述
I have deployed Python Django server on AWS Elastic Beanstalk .
我已经在AWS Elastic Beanstalk上部署了Python Django服务器。 This is how my settings.py file looks like:这是我的settings.py文件的样子:
# aws settings
AWS_ACCESS_KEY_ID = os.getenv('AWS_ACCESS_KEY_ID')
AWS_SECRET_ACCESS_KEY = os.getenv('AWS_SECRET_ACCESS_KEY')
AWS_STORAGE_BUCKET_NAME = os.getenv('AWS_STORAGE_BUCKET_NAME')
AWS_DEFAULT_ACL = None
AWS_S3_CUSTOM_DOMAIN = f'{AWS_STORAGE_BUCKET_NAME}.s3.amazonaws.com'
AWS_S3_OBJECT_PARAMETERS = {'CacheControl': 'max-age=86400'}
# s3 static settings
STATIC_URL = '/staticfiles/'
STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
# s3 public media settings
PUBLIC_MEDIA_LOCATION = 'media'
MEDIA_URL = f'https://{AWS_S3_CUSTOM_DOMAIN}/{PUBLIC_MEDIA_LOCATION}/'
DEFAULT_FILE_STORAGE = 'hello_django.storage_backends.PublicMediaStorage'
# s3 private media settings
PRIVATE_MEDIA_LOCATION = 'private'
PRIVATE_FILE_STORAGE = 'hello_django.storage_backends.PrivateMediaStorage'
In AWS I created IAM user with AmazonS3FullAccess permission, and I use his AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in settings.在 AWS 中,我创建了具有AmazonS3FullAccess权限的 IAM 用户,并在设置中使用了他的 AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY。
The problem is that when I try to read media file from the file link I always get " Access denied " error, even if I specify PublicMediaStorage and give all public access on S3 bucket.问题是当我尝试从文件链接读取媒体文件时,我总是得到“拒绝访问”错误,即使我指定 PublicMediaStorage 并在 S3 存储桶上提供所有公共访问权限。
Also, when I upload file, the folder (eg 'media') in bucket does not get created.此外,当我上传文件时,不会创建存储桶中的文件夹(例如“媒体”)。
Do you have idea what could the problem?你知道可能是什么问题吗?
1 个解决方案
解决方案1
0 2021-02-04 22:20:58
How about assigning an IAM role to Elastic BeanStalk's IAM instance profile?如何将 IAM 角色分配给 Elastic BeanStalk 的 IAM 实例配置文件? Using IAM roles is more secured than committing your AWS_KEYS in your code.使用 IAM 角色比在代码中提交 AWS_KEYS 更安全。
See -看 -
- How can I access an Amazon S3 bucket from an application running on an Elastic Beanstalk instance? 如何从在 Elastic Beanstalk 实例上运行的应用程序访问 Amazon S3 存储桶?
- How can I grant users the minimum set of Amazon S3 permissions required to access an Elastic Beanstalk environment? 如何授予用户访问 Elastic Beanstalk 环境所需的最低 Amazon S3 权限集?
Content of the first link-第一个链接的内容-
Validate permissions for your instance profile验证您的实例配置文件的权限
- Open the Elastic Beanstalk console.打开 Elastic Beanstalk 控制台。
- Select your environment. Select 您的环境。
- From the navigation menu, choose Configuration.从导航菜单中,选择配置。
- In the Configuration overview section, from the Category column, for Security, choose Modify.在配置概述部分中,从类别列中,对于安全性,选择修改。
- From the IAM instance profile menu, note the name of your instance profile.从 IAM 实例配置文件菜单中,记下您的实例配置文件的名称。
- Open the IAM console.打开 IAM 控制台。
- In the navigation pane, choose Roles.在导航窗格中,选择角色。
- In the search box, enter the name of your instance profile from step 5.在搜索框中,输入步骤 5 中的实例配置文件的名称。
- Verify that the role from step 8 has the required Amazon S3 permissions for the bucket that you want to access.验证步骤 8 中的角色是否具有您要访问的存储桶所需的 Amazon S3 权限。
Validate permissions for your S3 bucket验证 S3 存储桶的权限
- Open the Amazon S3 console.打开 Amazon S3 控制台。
- From the list of buckets, choose the bucket with the bucket policy that you want to change.从存储桶列表中,选择具有您要更改的存储桶策略的存储桶。
- Choose the Permissions tab.选择权限选项卡。
- Choose Bucket Policy.选择存储桶策略。
- Search for "Effect": "Deny" statements.搜索“效果”:“拒绝”语句。
- In your bucket policy, edit or remove any "Effect": "Deny" statements that are denying the IAM instance profile access to your role.在您的存储桶策略中,编辑或删除任何拒绝 IAM 实例配置文件访问您的角色的“Effect”:“Deny”语句。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.