Django-storages + boto + S3 collectstatic 的最小凭据
Posted
技术标签:
【中文标题】Django-storages + boto + S3 collectstatic 的最小凭据【英文标题】:Django-storages + boto + S3 minimal credentials for collectstatic 【发布时间】:2013-12-06 17:11:03 【问题描述】:我正在使用 django-storages 和 storages.backends.s3boto.S3BotoStorage 并遇到一个奇怪的 403 错误。
我最初的 IAM 政策相当保守,只包括对象的 get、put 和 delete。
--> 这引发了 403 错误
然后我授予所有权限除了删除和创建存储桶的权限
--> 令我惊讶的是,这也引发了 403 错误
我终于授予了完全权限,我想避免这种情况,并且我不再收到 403 错误。
我已经尝试按照this answer 提供对存储桶根/ 和/* 的访问权限
我的目标是只授予必要的权限。
【问题讨论】:
【参考方案1】:我试图做同样的事情,我想我终于让它工作了(有很多谷歌搜索和很多其他 *** 答案)。这不能保证是所需的最低权限集,但也不是很多。
这是用户 collectstatic 正在使用的 IAM 政策:
"Version": "2012-10-17",
"Statement": [
"Sid": "Stmt1399990928000",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
]
这似乎很简单。
从这里开始,它变得更加复杂。您需要更改的内容标记在尖括号内。 存储桶策略应如下所示:
"Version": "2008-10-17",
"Id": "Permissions",
"Statement": [
"Sid": "AllowAnybodyToGetBucketLocation",
"Effect": "Allow",
"Principal":
"AWS": "*"
,
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::<bucket_name>"
,
"Sid": "AllowCollectstaticUserToListBucket",
"Effect": "Allow",
"Principal":
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
,
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket_name>"
,
"Sid": "AllowCollectstaticUserAccessToAllObjects",
"Effect": "Allow",
"Principal":
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
,
"Action": [
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
]
这为 collectstatic 的用户至少提供了所需的最低权限。
请注意,这假设您将所有对象直接转储到存储桶的根目录中,而不是像 static/ 这样的目录中。我不完全确定该怎么做 - 我是否应该将 Resource 指定为 arn:aws:s3:::<bucket_name>/static/* 或者是否将 Condition 添加到 AllowCollectstaticUserAccessToAllObjects。
对我有帮助的来源:
http://blog.iambob.me/the-super-stupid-idiots-guide-to-getting-started-with-django-pipeline-and-s3/ 帮助我开始配置 S3 https://***.com/a/10884964 需要同时授予存储桶本身和子对象的权限 https://***.com/a/10894488 确定是 S3 上的权限问题还是 django-storages 配置问题 https://***.com/a/13658829ListAllBuckets 必须在 IAM 用户政策中完成
http://paltman.com/2007/09/21/detailed-amazon-s3-logging/
设置日志记录后,这篇文章帮助我解码日志
https://***.com/a/19425526
显然您可以指定权限,这使我可以分别测试s3:Delete*、s3:Put* 和s3:Get*。
【讨论】:
【参考方案2】:这是上传到特定存储桶的存储桶政策,在本例中为static。
"Version": "2008-10-17",
"Id": "StaticAndMediaPermissions",
"Statement": [
"Sid": "AllowAnybodyToGetBucketLocation",
"Effect": "Allow",
"Principal":
"AWS": "*"
,
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::<bucket_name>"
,
"Sid": "AllowCollectstaticUserToListStaticDirectory",
"Effect": "Allow",
"Principal":
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
,
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/static"
]
,
"Sid": "AllowCollectstaticUserAccessToAllObjectsInStaticDirectory",
"Effect": "Allow",
"Principal":
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
,
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/static/*"
]
您仍然需要从我的其他答案中添加 IAM 用户策略。
确保在您的settings.py 中将AWS_LOCATION 变量设置为/static/。如果你没有那个设置,这将不起作用。
来源: * http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke - 了解如何设置特定目录的权限 * https://***.com/a/9649233/1999151 - 提示我使用 AWS_LOCATION
或者,如果您想为静态文件和媒体文件设置单独的目录,则需要按照此处的说明进行操作:
https://***.com/a/10626241/1999151
并从settings.py 中删除AWS_LOCATION。
您仍然需要从我的其他答案中添加 IAM 用户策略。
然后您需要将 AWS 存储桶策略调整为以下内容:
"Version": "2008-10-17",
"Id": "StaticAndMediaPermissions",
"Statement": [
"Sid": "AllowAnybodyToGetBucketLocation",
"Effect": "Allow",
"Principal":
"AWS": "*"
,
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::<bucket_name>"
,
"Sid": "AllowCollectstaticUserToListStaticAndMediaDirectories",
"Effect": "Allow",
"Principal":
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
,
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/media"
"arn:aws:s3:::<bucket_name>/static"
]
,
"Sid": "AllowCollectstaticUserAccessToAllObjectsInStaticAndMediaDirectories",
"Effect": "Allow",
"Principal":
"AWS": "<collectstatic_user_arn_from_iam_user_summary>"
,
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucket_name>/media/*",
"arn:aws:s3:::<bucket_name>/static/*"
]
]
【讨论】:
【参考方案3】:我假设近年来这种情况发生了变化,但我只能使用以下权限收集静态数据:
"Statement": [
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<bucket_name>/*"
]
]
让我绊倒的权限是PutObjectAcl。我也不确定是否需要多部分的东西,但我不想找出它对于大文件或类似的东西的必要性。
编辑:显然 django-storages 在某些情况下会删除文件。我能够让它工作:
"Statement": [
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::<bucket_name>"
]
,
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<bucket_name>/*"
]
]
这里可能有几个额外的字段,但我无法重现删除操作以进行确认。
【讨论】:
以上是关于Django-storages + boto + S3 collectstatic 的最小凭据的主要内容,如果未能解决你的问题,请参考以下文章
Django OperationalError:无法创建新的连接进程
使用 azure 作为 Django 的存储后端(使用 django-storages)
django-storages + sorl_thumbnail + S3 不能很好地协同工作(URL 不匹配)
保存模型字段时的 Django-Storages ('`data` must be bytes, received', <class 'str'>)