stackoom
  简体   繁体   中英

AWS S3 PutObject Access denied problem in Python

 原文  2022-08-10 21:52:42       python/ amazon-web-services/ amazon-s3

Question

I'm trying to upload an image to AWS S3. This code previously worked fine (and still working for another project). This is a brand new project with a new AWS S3 bucket. I noticed they again changed a lot and maybe it's a problem.

This is the code:

        s3_client.upload_fileobj(
            uploaded_file,
            files_bucket_name,
            key_name,
            ExtraArgs={
                'ContentType': uploaded_file.content_type
            }
        )

This is the permission policy for the bucket:

{
    "Version": "2012-10-17",
    "Id": "Policy1204",
    "Statement": [
        {
            "Sid": "Stmt15612",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

The upload did not work until I added the "PutObject" here but it was working for another project. I don't like about this policy that PutObject is now public available.

How to make:

  • all images are public available
  • but only owner can upload files?

This are screenshots from AWS permissions for this bucket:

上市

在此处输入图像描述

2 answers

solution1
 0  2022-08-10 23:04:32

The problem has gone as soon as I created an IAM user and granted it full access to S3. Not sure if this solution is good or not but at least it's working now.

solution2
 0  2022-08-12 03:24:41

It appears that your requirement is:

  • Allow everyone to see the files
  • Only allow an owner to upload them

There is a difference between "seeing the files" -- ListObjects allows listing of the objects in a bucket while GetObject allows downloading of an object.

If you want to make all objects available for download assuming that the user knows the name of the object , then you could use a policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

Note that this policy will not permit viewing the contents of the bucket.

If you wish to allow a specific IAM User permission to upload files to the bucket, then put this policy on the IAM User ( not on the Bucket):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Writing file to S3 with AWS Lambda errors - An error occurred (AccessDenied) when calling the PutObject operation: Access Denied Serverless AWS (Python) read from S3 : Access Denied AWS S3 Access Denied on python virtual environment AWS S3 Lambda Access Denied AWS Elastic Beanstalk Python Django S3 Access Denied cannot upload / read file AWS S3 Boto3 Python - An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied AWS - S3 - Creating a Bucket Policy - Error: Access Denied An error occurred (AccessDenied) when calling the PutObject operation: Access Denied python Cloudfront give Access denied response created through AWS CDK Python for S3 bucket origin without public Access Silent Failure of S3 PutObject?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM