AWS S3访问被拒绝错误 [英] AWS S3 Access Denied Error

问题描述

当我尝试打开S3存储桶中托管的文件时，出现访问拒绝错误.

I am getting access denied error when I try to open a file I have hosted on my S3 bucket.

当我的Django应用尝试获取相同的文件时，我的控制台上出现403 Forbidden Error.

When my Django app tries to get the same file I get 403 Forbidden Error on my console.

我已经公开了所有文件，但还是没有运气.

I have made all the files public but still no luck.

我打开文件链接时得到了这个信息.

I am getting this when I open a link to a file.

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>D4FCD94BD9DEE9F8</RequestId>
<HostId>
J9RtjMA4wk8kL4f+Ye/6XAQaXrfi9lz5HZ1tWRut8E5Qf/b8RAQbAF/fp3j2bep8Jfd+dtim/fs=
</HostId>
</Error>

我的CORS配置是这个

My CORS Configuration is this

<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

我应该怎么做才能使我的静态文件得到正确提供?

What should I do so that my static files get served properly ?

这是我的存储桶策略

{
    "Statement": [
        {
            "Sid": "PublicReadForGetBucketObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::****storage/*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::****storage",
                "arn:aws:s3:::****storage/*"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::0084507*****:user/****"
                ]
            }
        }
    ]
}

settings.py中的AWS_ACCESS_KEY_ID，AWS_SECRET_ACCESS_KEY是我为在AWS IAM管理中创建的用户所获得的.

The AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY in my settings.py are the ones I got for the user I created in AWS IAM management.

推荐答案

确实没有很好的文档说明，但是您需要两个访问语句.

It is really not documented well, but you need two access statements.

除了允许您实际要做的事情的语句(GetObject为"arn:aws:s3 ::: **** storage/*")之外，您还需要一个允许ListBucket应用于存储桶本身的语句， "arn:aws:s3 ::: ****存储".在内部，Aws客户端会在执行操作之前尝试列出存储桶，以确定它是否存在.

In addition to the statement allowing the things you actually want done (GetObject to "arn:aws:s3:::****storage/*"), you also need a statement that allows ListBucket to the bucket itself, "arn:aws:s3:::****storage". Internally, the Aws client will try to list the bucket to determine it exists before doing its action.

文档是不好的，所以似乎只是增加了越来越多的权限，直到出现一些令人发指的事情，才是常见的错误.

The docs are bad, so it seems to be a common flailing to just add more and more permissions until something bleeping works.

第二条语句应如下所示:

With the second statement, it should look like:

{
    "Statement": [
        {
            "Sid": "PublicReadForGetBucketObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::storage/*"
            ]
        },
        {
            "Sid": "somethingElse",
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::storage",
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::0084507*****:user/****"
                ]
            }
        }
    ]
}

注意:如果您使用的是IAM，则可以跳过主体"部分.

Note: If you're using IAM, you can skip the "Principal" part.

这篇关于AWS S3访问被拒绝错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！