【问题标题】:Django-storages + boto + S3 minimal credentials for collectstaticDjango-storages + boto + S3 collectstatic 的最小凭据
【发布时间】:2013-12-06 17:11:03
【问题描述】:

我正在使用 django-storagesstorages.backends.s3boto.S3BotoStorage 并遇到一个奇怪的 403 错误。

我最初的 IAM 政策相当保守,只包括对象的 get、put 和 delete。

--> 这引发了 403 错误

然后我授予所有权限除了删除和创建存储桶的权限

--> 令我惊讶的是,这也引发了 403 错误

我终于授予了完全权限,我想避免这种情况,并且我不再收到 403 错误。

我已经尝试按照this answer 提供对存储桶根//* 的访问权限

我的目标是只授予必要的权限。

【问题讨论】:

    标签: django amazon-s3


    【解决方案1】:

    我试图做同样的事情,我想我终于让它工作了(有很多谷歌搜索和很多其他 StackOverflow 答案)。这不能保证是所需的最低权限集,但也不是很多。

    这是用户 collectstatic 正在使用的 IAM 政策

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Stmt1399990928000",
          "Effect": "Allow",
          "Action": [
            "s3:ListAllMyBuckets"
          ],
          "Resource": [
            "arn:aws:s3:::*"
          ]
        }
      ]
    }
    

    这似乎很简单。

    从这里开始,它变得更加复杂。您需要更改的内容标记在尖括号内。 存储桶策略应如下所示:

    {
        "Version": "2008-10-17",
        "Id": "Permissions",
        "Statement": [
            {
                "Sid": "AllowAnybodyToGetBucketLocation",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*"
                },
                "Action": "s3:GetBucketLocation",
                "Resource": "arn:aws:s3:::<bucket_name>"
            },
            {
                "Sid": "AllowCollectstaticUserToListBucket",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<collectstatic_user_arn_from_iam_user_summary>"
                },
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::<bucket_name>"
            },
            {
                "Sid": "AllowCollectstaticUserAccessToAllObjects",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<collectstatic_user_arn_from_iam_user_summary>"
                },
                "Action": [
                    "s3:DeleteObject",
                    "s3:PutObjectAcl",
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                "Resource": "arn:aws:s3:::<bucket_name>/*"
            }
        ]
    }
    

    这为 collectstatic 的用户至少提供了所需的最低权限。

    请注意,这假设您将所有对象直接转储到存储桶的根目录中,而不是像 static/ 这样的目录中。我不完全确定该怎么做 - 我是否应该将 Resource 指定为 arn:aws:s3:::&lt;bucket_name&gt;/static/* 或者是否将 Condition 添加到 AllowCollectstaticUserAccessToAllObjects

    对我有帮助的来源:

    【讨论】:

      【解决方案2】:

      这是上传到特定存储桶的存储桶政策,在本例中为static

      {
          "Version": "2008-10-17",
          "Id": "StaticAndMediaPermissions",
          "Statement": [
              {
                  "Sid": "AllowAnybodyToGetBucketLocation",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "*"
                  },
                  "Action": "s3:GetBucketLocation",
                  "Resource": "arn:aws:s3:::<bucket_name>"
              },
              {
                  "Sid": "AllowCollectstaticUserToListStaticDirectory",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "<collectstatic_user_arn_from_iam_user_summary>"
                  },
                  "Action": [
                      "s3:ListBucket",
                      "s3:ListBucketMultipartUploads"
                  ],
                  "Resource": [
                      "arn:aws:s3:::<bucket_name>",
                      "arn:aws:s3:::<bucket_name>/static"
                  ]
              },
              {
                  "Sid": "AllowCollectstaticUserAccessToAllObjectsInStaticDirectory",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "<collectstatic_user_arn_from_iam_user_summary>"
                  },
                  "Action": [
                      "s3:AbortMultipartUpload",
                      "s3:DeleteObject",
                      "s3:GetObject",
                      "s3:PutObjectAcl",
                      "s3:ListMultipartUploadParts",
                      "s3:PutObject"
                  ],
                  "Resource": "arn:aws:s3:::<bucket_name>/static/*"
              }
          ]
      }
      

      您仍然需要从我的其他答案中添加 IAM 用户策略。

      确保在您的settings.py 中将AWS_LOCATION 变量设置为/static/。如果你没有那个设置,这将不起作用。

      来源: * http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke - 了解如何设置特定目录的权限 * https://stackoverflow.com/a/9649233/1999151 - 提示我使用 AWS_LOCATION


      或者,如果您想为静态文件和媒体文件设置单独的目录,则需要按照此处的说明进行操作:

      https://stackoverflow.com/a/10626241/1999151

      并从settings.py 中删除AWS_LOCATION

      您仍然需要从我的其他答案中添加 IAM 用户策略。

      然后您需要将 AWS 存储桶策略调整为以下内容:

      {
          "Version": "2008-10-17",
          "Id": "StaticAndMediaPermissions",
          "Statement": [
              {
                  "Sid": "AllowAnybodyToGetBucketLocation",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "*"
                  },
                  "Action": "s3:GetBucketLocation",
                  "Resource": "arn:aws:s3:::<bucket_name>"
              },
              {
                  "Sid": "AllowCollectstaticUserToListStaticAndMediaDirectories",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "<collectstatic_user_arn_from_iam_user_summary>"
                  },
                  "Action": [
                      "s3:ListBucket",
                      "s3:ListBucketMultipartUploads"
                  ],
                  "Resource": [
                      "arn:aws:s3:::<bucket_name>",
                      "arn:aws:s3:::<bucket_name>/media"
                      "arn:aws:s3:::<bucket_name>/static"
                  ]
              },
              {
                  "Sid": "AllowCollectstaticUserAccessToAllObjectsInStaticAndMediaDirectories",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "<collectstatic_user_arn_from_iam_user_summary>"
                  },
                  "Action": [
                      "s3:AbortMultipartUpload",
                      "s3:DeleteObject",
                      "s3:GetObject",
                      "s3:PutObjectAcl",
                      "s3:ListMultipartUploadParts",
                      "s3:PutObject"
                  ],
                  "Resource": [
                      "arn:aws:s3:::<bucket_name>/media/*",
                      "arn:aws:s3:::<bucket_name>/static/*"
                  ]
              }
          ]
      }
      

      【讨论】:

        【解决方案3】:

        我假设近年来这种情况发生了变化,但我只能使用以下权限收集静态数据:

        {
            "Statement": [
                {
                    "Action": [
                        "s3:AbortMultipartUpload",
                        "s3:GetObject",
                        "s3:PutObject",
                        "s3:PutObjectAcl",
                        "s3:DeleteObject",
                        "s3:ListMultipartUploadParts"
                    ],
                    "Effect": "Allow",
                    "Resource": [
                        "arn:aws:s3:::<bucket_name>/*"
                    ]
                }
            ]
        }
        

        让我绊倒的权限是PutObjectAcl。我也不确定是否需要多部分的东西,但我不想找出它对于大文件或类似的东西的必要性。

        编辑:显然 django-storages 在某些情况下会删除文件。我能够让它工作:

        {
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:GetBucketLocation",
                        "s3:ListBucket",
                        "s3:ListBucketMultipartUploads"
                    ],
                    "Resource": [
                        "arn:aws:s3:::<bucket_name>"
                    ]
                },
                {
                    "Action": [
                        "s3:AbortMultipartUpload",
                        "s3:GetObject",
                        "s3:PutObject",
                        "s3:PutObjectAcl",
                        "s3:DeleteObject",
                        "s3:DeleteObjectTagging",
                        "s3:ListMultipartUploadParts"
                    ],
                    "Effect": "Allow",
                    "Resource": [
                        "arn:aws:s3:::<bucket_name>/*"
                    ]
                }
            ]
        }
        

        这里可能有几个额外的字段,但我无法重现删除操作以进行确认。

        【讨论】:

          猜你喜欢
          • 2014-06-30
          • 1970-01-01
          • 2014-09-15
          • 2012-05-01
          • 2013-10-31
          • 1970-01-01
          • 1970-01-01
          • 2017-12-13
          • 2012-08-15
          相关资源
          最近更新 更多