Closed simonw closed 1 year ago
I added this code to s3-credentials
and ran it:
@cli.command()
@click.argument("bucket")
@common_boto3_options
def set_public_policy(bucket, **boto_options):
"""
Set public policy for bucket
This will allow GET requests for anonymous users.
s3-credentials set-public-policy my-bucket
"""
s3 = make_client("s3", **boto_options)
if not bucket_exists(s3, bucket):
raise click.ClickException("Bucket {} does not exists".format(bucket))
bucket_policy = policies.bucket_policy_allow_all_get(bucket)
try:
s3.put_bucket_policy(Bucket=bucket, Policy=json.dumps(bucket_policy))
except botocore.exceptions.ClientError as e:
raise click.ClickException(e)
s3-credentials set-public-policy calbatwg
Still getting the same error though.
https://s3.console.aws.amazon.com/s3/buckets/calbatwg looks it has the correct settings. Really confused about this.
Relevant snippet of env
run on the server:
AWS_STORAGE_BUCKET_NAME=calbatwg
DJANGO_SETTINGS_MODULE=cbwg.settings.production
AWS_ACCESS_KEY_ID=AKIAWXFXAIOZA5PNQEVX
AWS_SECRET_ACCESS_KEY=go...b3
It all looks right to me. No idea why it's not working.
https://bitsnbytes.blog/2020/06/15/access-denied-or-how-s3-permissions-can-be-super-confusing/ has more tips.
It says that these three are needed:
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging"
Could I be missing one of them?
My user is called s3.read-write.calbatwg
- and the policy it gets according to https://s3-credentials.readthedocs.io/en/stable/policy-documents.html#read-write-default is:
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-s3-bucket/*"
]
}
So I need to grant it extra permissions!
Deleted my user:
s3-credentials delete-user 's3.read-write.calbatwg'
Now I'm going to create a custom user.
s3-credentials create calbatwg \
--username calbatwg-org-django \
--statement '{
"Effect": "Allow",
"Action": [
"s3:PutObjectAcl",
"s3:PutObjectTagging"
],
"Resource": "arn:aws:s3:::calbatwg/*"
}'
Then set the new Fly secrets in one go:
fly secrets set \
AWS_ACCESS_KEY_ID=AKIAWXFXAIOZEAUUY7I7 \
AWS_SECRET_ACCESS_KEY=DS...
Got a useful tip from https://sourcery.ai/blog/python-docker/
Add this early on in the Dockerfile
:
ENV PIPENV_VENV_IN_PROJECT=1
This causes it to create the virtual environment in /app/.venv
which is easier to then write scripts against as it has a predictable name.
Extracted a TIL: https://til.simonwillison.net/docker/pipenv-and-docker
Next job: point DNS at this new site, using Cloudflare.
https://dash.cloudflare.com/7def11d96ee28cd408b5d9ff86fa8605/calbatwg.org/dns/records
The IP address of the Fly app is 37.16.21.64
- I'm going to point A records at that.
I'm also going to turn off Cloudflare proxying entirely.
Previous Cloudflare settings:
Added these two new A records (after deleting those CNAME ones):
http://www.calbatwg.org/ and http://calbatwg.org/ both work now - next step, TLS.
https://til.simonwillison.net/fly/custom-subdomain-fly has notes on that
I ran:
fly auth logout
fly auth login
To log in as Natalie's Fly account.
Then:
~ % fly certs create calbatwg.org -a cbwg
You are creating a certificate for calbatwg.org
We are using lets_encrypt for this certificate.
You can validate your ownership of calbatwg.org by:
1: Adding an AAAA record to your DNS service which reads:
AAAA @ 2a09:8280:1::6:a6a6
Added that AAAA record in Cloudflare:
~ % fly certs show calbatwg.org -a cbwg
The certificate for calbatwg.org has not been issued yet.
Hostname = calbatwg.org
DNS Provider = cloudflare
Certificate Authority = Let's Encrypt
Issued =
Added to App = 1 minute ago
Source = fly
Your certificate for calbatwg.org is being issued. Status is Awaiting certificates. Make sure to create another certificate for www.calbatwg.org when the current certificate is issued.
It's issued:
~ % fly certs show calbatwg.org -a cbwg
The certificate for calbatwg.org has been issued.
Hostname = calbatwg.org
DNS Provider = cloudflare
Certificate Authority = Let's Encrypt
Issued = rsa,ecdsa
Added to App = 1 minute ago
Source = fly
Ran this too:
fly certs create www.calbatwg.org -a cbwg
It advised me:
~ % fly certs create www.calbatwg.org -a cbwg
You are creating a certificate for www.calbatwg.org
We are using Let's Encrypt for this certificate.
You can configure your DNS for www.calbatwg.org by:
1: Adding an CNAME record to your DNS service which reads:
CNAME www. cbwg.fly.dev
But I don't think I need to do that because I used an A record instead.
https://calbatwg.org/ works now.
That www.calbatwg.org
cert still hasn't been issued. Maybe I have to use the CNAME
instead? I'll set that up now.
Deleted the A
record for www
and added this CNAME
instead:
~ % fly certs show www.calbatwg.org -a cbwg
The certificate for www.calbatwg.org has been issued.
Hostname = www.calbatwg.org
DNS Provider = cloudflare
Certificate Authority = Let's Encrypt
Issued = rsa,ecdsa
Added to App = 10 minutes ago
Source = fly
Not sure if switching from A
to CNAME
was necessary or not.
It's done!
cbwg % fly postgres connect -a cbwg-postgresql Connecting to fdaa:0:ec24:a7b:ad1:84:fd99:2... complete psql (14.4 (Debian 14.4-1.pgdg110+1)) Type "help" for help. postgres=# create database cbwg; CREATE DATABASE
Just wanted to let you know, that your very detailed comments here, helped me out a lot!. Especially this one, gave me the nudge in the right direction. Thank you!!
Split from:
Code is in https://github.com/natbat/cbwg