1

I am trying to move my static assets to AWS. I am following many blog posts but most of all this one: https://simpleisbetterthancomplex.com/tutorial/2017/08/01/how-to-setup-amazon-s3-in-a-django-project.html

Now I can either make it work so that it all publicly visible or nothing is.

If I add this policy to my bucket everyone can see everything even though I have my config as explained below: 


    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountnbr:user/user"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mybucket/*"
        }
    ]
}

That should mean everyone can see, only I can edit.

Now I configured my static assets and a private Storage where I want to put my media files. In my static assets I have my css files and so on.

Here is my config: 


AWS_ACCESS_KEY_ID = 'mykey'
AWS_SECRET_ACCESS_KEY = 'mysecretkey'
AWS_STORAGE_BUCKET_NAME ='mybucket'
AWS_S3_CUSTOM_DOMAIN = '%s.s3.amazonaws.com' % AWS_STORAGE_BUCKET_NAME
AWS_S3_OBJECT_PARAMETERS = {
    'CacheControl': 'max-age=86400',
}
AWS_LOCATION = 'static'

STATICFILES_DIRS = [
    os.path.join(BASE_DIR, 'mysite/static'),
]
STATIC_URL = 'https://%s/%s/' % (AWS_S3_CUSTOM_DOMAIN, AWS_LOCATION)
STATICFILES_STORAGE = 'config.settings.storage_backends.StaticStorage'
AWS_DEFAULT_ACL = 'public-read'
AWS_PRIVATE_MEDIA_LOCATION = 'media'
PRIVATE_FILE_STORAGE = 'config.settings.storage_backends.PrivateMediaStorage'

then I have this in my storage_backends.py 


class StaticStorage(S3Boto3Storage):
    location = 'static'
    default_acl = 'public'

class PrivateMediaStorage(S3Boto3Storage):
    location = settings.AWS_PRIVATE_MEDIA_LOCATION
    default_acl = 'private'
    file_overwrite = False
    custom_domain = False

I didn't configure a public media storage because I only need private media files. And public static files which I think go to my StaticStorage....

Like this unfortunately also my private files can be downloaded via the link.....

I red about pre-signed URLs but shouldn't it work as expected with the config I have? Or am I missing something?

Thanks in advance, very much appreciated!

Micromegas
  • 231
  • 3
  • 12
  • 1
    `default_acl = 'public'` configures object ACLs and using this should not require **any** bucket policy. Public-Read can be granted by the bucket policy **or** by object ACL; using both is redundant. – Michael - sqlbot Oct 21 '19 at 10:06
  • thx Michael! But also when I change this to 'None' or leave it out the problem remains.... Any idea what else I do wrong? – Micromegas Oct 21 '19 at 10:15
  • 1
    Sorry, leave that as it is, but remove the bucket policy. – Michael - sqlbot Oct 21 '19 at 10:29
  • ok thank you that helps. And in the default settings should I block all public access or allow it? I mean the checkboxes that are not configured via a policy ;) – Micromegas Oct 21 '19 at 11:03
  • And just for my understanding: When I set ```AWS_DEFAULT_ACL = 'private'```and remove the policy I can still access and download everything. It should be different right? I mean, the ACL are supposed to control the access to the bucket right? – Micromegas Oct 21 '19 at 11:20
  • I'm using docker as well maybe that could be a problem? – Micromegas Oct 21 '19 at 12:20

0 Answers0