我正在django-storages使用storages.backends.s3boto.S3BotoStorage并发现了一个奇怪的403错误。
我原来的IAM政策相当保守,只包括对象的获取,放置和删除。
- > 这引发了403错误
然后,我将所有权限 除了 删除和创建存储区的权限
- >令我惊讶的是, 这也引发了403错误
我终于提供了完全权限,我想避免,我不再收到403错误。
我已尝试根据this answer
提供对存储根/和/*的访问权限
我的目标是只提供必要的权限。
答案 0 :(得分:3)
以上存储分区政策用于上传到特定存储分区,在本例中为static。
{
"Version": "2008-10-17",
"Id": "StaticAndMediaPermissions",
"Statement": [
{
"Sid": "AllowAnybodyToGetBucketLocation",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::<bucket_name>"
},
{
"Sid": "AllowCollectstaticUserToListStaticDirectory",
"Effect": "Allow",
"Principal": {
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/static"
]
},
{
"Sid": "AllowCollectstaticUserAccessToAllObjectsInStaticDirectory",
"Effect": "Allow",
"Principal": {
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/static/*"
}
]
}
您仍需要从我的其他答案中添加IAM用户政策。
确保AWS_LOCATION中的/static/变量设置为settings.py。如果你没有那套,这将无效。
来源: * http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke - 了解如何设置特定于目录的权限 * https://stackoverflow.com/a/9649233/1999151 - 让我使用AWS_LOCATION
或者,如果您想为静态和媒体文件设置单独的目录,则需要按照此处的说明进行操作:
https://stackoverflow.com/a/10626241/1999151
并从AWS_LOCATION移除settings.py。
您仍需要从我的其他答案中添加IAM用户政策。
然后,您需要将AWS存储桶策略调整为以下内容:
{
"Version": "2008-10-17",
"Id": "StaticAndMediaPermissions",
"Statement": [
{
"Sid": "AllowAnybodyToGetBucketLocation",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::<bucket_name>"
},
{
"Sid": "AllowCollectstaticUserToListStaticAndMediaDirectories",
"Effect": "Allow",
"Principal": {
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/media"
"arn:aws:s3:::<bucket_name>/static"
]
},
{
"Sid": "AllowCollectstaticUserAccessToAllObjectsInStaticAndMediaDirectories",
"Effect": "Allow",
"Principal": {
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucket_name>/media/*",
"arn:aws:s3:::<bucket_name>/static/*"
]
}
]
}
答案 1 :(得分:0)
我试图做同样的事情,我想我终于搞定了(有很多谷歌搜索和很多其他StackOverflow答案)。这并不是最低要求的权限集,但它并不是很多。
以下是collectstatic用户正在使用的 IAM政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1399990928000",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
这似乎非常简单。
从这里开始,它变得更加复杂。您需要更改的内容标记在尖括号内。 存储分区政策应如下所示:
{
"Version": "2008-10-17",
"Id": "Permissions",
"Statement": [
{
"Sid": "AllowAnybodyToGetBucketLocation",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::<bucket_name>"
},
{
"Sid": "AllowCollectstaticUserToListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket_name>"
},
{
"Sid": "AllowCollectstaticUserAccessToAllObjects",
"Effect": "Allow",
"Principal": {
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
},
"Action": [
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
}
]
}
这为collectstatic的用户提供了至少所需的最低权限。
请注意,这假设您将所有对象直接转储到存储桶的根目录中,而不是转储到static/之类的目录中。我不完全确定如何执行此操作 - 是否应将Resource指定为arn:aws:s3:::<bucket_name>/static/*或是否将Condition添加到AllowCollectstaticUserAccessToAllObjects。
帮助我的消息来源:
ListAllBuckets必须在IAM用户政策s3:Delete*,s3:Put*和s3:Get*。答案 2 :(得分:0)
我假设近年来这已经发生了变化,但我只能使用以下权限收集静态:
{
"Statement": [
{
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<bucket_name>/*"
]
}
]
}
绊倒我的许可是PutObjectAcl。我也不确定多部分内容是否有必要,但我不想找到大型文件或类似内容的必要内容。
编辑:显然django-storage会在某些情况下删除文件。我能够使用它:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::<bucket_name>"
]
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<bucket_name>/*"
]
}
]
}
这里可能还有一些额外的字段,但我在复制删除操作时无法确认。