8

I am trying to set up media and static files storage in an AWS S3 bucket, in a Django app, and am getting the following error when I try to run python manage.py collectstatic to put the static files into the bucket:

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

I am running boto3 and django storages. I have trawled through the other answers on here and tried the ideas in there first. My access key etc is correct as I can connect to SES OK. I have CORS configured in the bucket.

My bucket policy is

{
"Id": "Policyxxx",
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmtxxx",
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bucketname/*",
            "arn:aws:s3:::bucketname"
        ],
        "Principal": {
            "AWS": [
                "arn:aws:iam::xxxx:user/xxxx"
            ]
        }
    }
]
}

My IAM user has AmazonS3FullAccess as below:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    }
]
}

I have also tried creating my own policy and attaching that to the IAM user as follows:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::bucketname",
            "arn:aws:s3:::bucketname/*"
        ]
    }
]
}

None of these work so I am clearly missing something.

Improve this question
0

2 Answers 2

Reset to default
52

I had the same error. And, unlike you, I was using the right user with proper IAM policies.

In the output of :

python manage.py collectstatic

before the AccessDenied stack error, I could read this message from django-storage lib :

UserWarning: The default behavior of S3Boto3Storage is insecure and will change in django-storages 2.0. By default files and new buckets are saved with an ACL of 'public-read' (globally publicly readable). Version 2.0 will default to using the bucket's ACL. To opt into the new behavior set AWS_DEFAULT_ACL = None, otherwise to silence this warning explicitly set AWS_DEFAULT_ACL. "The default behavior of S3Boto3Storage is insecure and will change "

This led me to try it.

By setting :

AWS_DEFAULT_ACL = None

Then, the static files were collected in the bucket.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

you are a life saver. it was not showing me this warning, followed some tutorial and was stuck in this error.
I think this is because AWS by default sets Block new public ACLs and uploading public objects to True for new buckets. If you set this to False in the permissions tab, you should be able to set AWS_DEFAULT_ACL='public-read'
What do you mean set AWS_DEFAULT_ACL = None? Set it where? in settings.py?
@LawrenceDeSouza Yes, this has to be set in your project settings.py.
If you’re sure what content in your bucket should be public. Change your s3 block's permissions from ON to OFF at (Block all public access). So AWS_DEFAULT_ACL = 'public-read'
|
0

I had an issue that it ignored

AWS_S3_ACCESS_KEY_ID = os.environ.get("Someothername1", "")
AWS_S3_SECRET_ACCESS_KEY = os.environ.get("Someothername2", "")

in django settings, but when I set environmental variables AWS_S3_ACCESS_KEY_ID and AWS_S3_SECRET_ACCESS_KEY it started working. Because in _get_access_keys function they only search for environmental variables, ignoring settings.

def _get_access_keys(self):
    """
    Gets the access keys to use when accessing S3. If none is
    provided in the settings then get them from the environment
    variables.
    """
    access_key = self.access_key or lookup_env(self.access_key_names)
    secret_key = self.secret_key or lookup_env(self.secret_key_names)
    return access_key, secret_key
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.