search

bradleyg / django-s3direct

Directly upload files to S3 compatible services with Django.
MIT License
653 stars 234 forks source link

AWS Code: AccessDenied, Message:Access Deniedstatus:403 #196

Open Malthehave opened 5 years ago

Malthehave commented 5 years ago

Hello. I'm having an issue when uploading my video from the django admin.

My IAM user has the AmazonS3FullAccess policy attached. I also tried creating a new user with the same policy as the one stated in readme.md.

However I get the same 403 error everytime.

I did eventually get a successful upload when I changed the Block public access in my bucket settings to false. That however ment that everyone could upload to my bucket.

Can you what i'm doing wrong?

In the browser console I get the following errors:

Starting videos/20180718_215611.mp4 reason: first file

initiate getPayloadSha256Content: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
initiate V4 CanonicalRequest: POST
/<my_bucket_name>/videos/20180718_215611.mp4
uploads=
content-type:video/mp4
host:s3.eu-central-1.amazonaws.com
x-amz-acl:public-read
x-amz-date:20190919T140034Z

content-type;host;x-amz-acl;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
V4 stringToSign: AWS4-HMAC-SHA256
20190919T140034Z
20190919/eu-central-1/s3/aws4_request
62bf6ff5089028e97c05451e64077c0b0a3b273186717c8f547dfc7bc0d5b875
initiate signature: f20f0ea3deefa277f5a6ebba7da12a134314d34a52d11e4bfd3c73068b7d5464
initiate getPayloadSha256Content: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
s3.eu-central-1.amazonaws.com/<my_bucket_name>/videos/20180718_215611.mp4?uploads:1 Failed to load resource: the server responded with a status of 403 (Forbidden)
initiate error: <my_bucket_name>/videos/20180718_215611.mp4 AWS Code: AccessDenied, Message:Access Deniedstatus:403

models.py 

...
videofile = S3DirectField(dest='video_destination', null=True)

settings.py

AWS_ACCESS_KEY_ID = ...
AWS_SECRET_ACCESS_KEY = ...
AWS_UPLOAD_USERNAME = '...'
AWS_STORAGE_BUCKET_NAME = '...'

AWS_S3_FILE_OVERWRITE = False
AWS_DEFAULT_ACL = None
AWS_S3_REGION_NAME = 'eu-central-1'
AWS_S3_ENDPOINT_URL = 'https://s3.eu-central-1.amazonaws.com'

DEFAULT_FILE_STORAGE = 'storages.backends.s3boto3.S3Boto3Storage'
S3DIRECT_DESTINATIONS = {
    'video_destination': {
        'key': '/videos/',
        'content_length_range': (5000, 5000000000), # 0.0000046566 gb to ca. 5 gb
    },
}
Malthehave commented 5 years ago

Okay so if anyone is having the same issue I managed to get around it. I set Block public access to buckets and objects granted through new access control lists (ACLs) and Block public access to buckets and objects granted through any access control lists (ACLs) to off.

Still not sure if this is the correct way of doing it however.

neilhut42 commented 4 years ago

Having the same issue here, get the 403 unless the "block public access" is disabled.

Malthehave commented 4 years ago

Having the same issue here, get the 403 unless the "block public access" is disabled.

Please let us know if you get to any solution (-:

pushpankar commented 4 years ago

I am having the same issue. Using the same access key id and secret key id from awscli works perfectly but not in s3direct.

adam505hq commented 3 years ago

For me trick was to change acl to private in S3DIRECT_DESTINATIONS. By default it's set to public-read which caused AWS to give 403 when public access was blocked.

S3DIRECT_DESTINATIONS = {
    'foo': {
        'key': "bar"
        'acl': 'private',
}

In AWS bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1608061041543",
    "Statement": [
        {
            "Sid": "Stmt1608061039031",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$USER_ID:user/$USER_NAME"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::$BUCKET_NAME/*"
        }
    ]
}

In CORS:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "POST",
            "DELETE",
            "HEAD",
            "PUT"
        ],
        "AllowedOrigins": [
            "http://localhost:5000"
        ],
        "ExposeHeaders": [
            "ETag",
            "x-amz-server-side-encryption"
        ],
        "MaxAgeSeconds": 0
    }
]
shacker commented 3 years ago

Changing the ACL between public/private made no difference for me. Just can't figure out what's causing the 403s.