22

Thumbnail URLS have params in them. I'm not sure why. I think they related to sorl-thumbnail or boto storage we're using. How do I remove the additional params from the URL? Are they coming from boto/s3 or sorl. I've no idea how to debug.

LILI
  • 321
  • 2
  • 3
  • can you paste an example of the URL here? – Keshi Jul 21 '12 at 23:07
  • Here's an example: https://eniyiyorumlar.s3.amazonaws.com/media/product_photos/yuruyus-bandi/dynamic-v100.jpg?Signature=4C45X28vHf07rkVXj4hvqxAxTeg%3D&Expires=1342920217&AWSAccessKeyId=AKIAJIDT4T4CVUPDP7RQ - it's coming from boto, I don't use sorl and I get the same output. Have the same question – Intenex Jul 22 '12 at 00:24

4 Answers4

78

Use: AWS_QUERYSTRING_AUTH = False

maggon
  • 947
  • 6
  • 8
  • 21
    This answer needs more detail to be useful. – Ratan Sebastian Oct 23 '12 at 17:43
  • 4
    It's rather poorly documented, but this really is the thing you need. If your bucket is publicly viewable for everybody (which you want for media), this removes the authentication parameters. – Alper Apr 07 '13 at 14:48
  • 1
    for more info: https://django-storages.readthedocs.io/en/latest/backends/amazon-S3.html – LinuxFelipe-COL Apr 24 '20 at 19:41
  • Ok to be more detailed: To remove the query string "stuff", put the above in settings.py (which can be found in YOUR PROJECT/settings.py. If you are having an .ENV file it can move there too, but you need to add some more things then to settings.py like: AWS_QUERYSTRING_AUTH = os.environ['AWS_QUERYSTRING_AUTH'] (this assumes you have installed the package "django-environ" so this works) – Rbbn Aug 25 '22 at 07:08
5

The extra parameters that are being added are there to implement Query String Authentication. This allows you to pre-sign the URL to private resources stored in S3. As long as someone has the pre-signed URL (and it hasn't expired) they will be able to access these resources even though they are not publicly readable.

Without the extra parameters, there is no way to provide public access to these private S3 resources.

mgojohn
  • 881
  • 9
  • 15
garnaat
  • 44,310
  • 7
  • 123
  • 103
  • why are the S3 resourced private? how do i make them public? – LILI Jul 24 '12 at 12:35
  • All content is private by default in S3. You can change it to publicly readable by using the make_public() method of the Key object in boto or you can use the AWS Console if you would prefer to use a GUI. – garnaat Jul 24 '12 at 13:22
  • Boto3 doesn't know whether they're private or not - the default is to sign the URL so that it can be accessed either way. If they're public you can apply the setting so that the signature is left out of the URL – r3m0t May 10 '17 at 11:58
5

Works for me: AWS_QUERYSTRING_AUTH = False

using this https://github.com/mstarinteractive/django-s3storage

from myapp.s3storage import S3BotoStorage
from django.contrib.staticfiles.storage import CachedFilesMixin


class CachedStaticS3BotoStorage(CachedFilesMixin, S3BotoStorage):

    """Extends S3BotoStorage to save static files with hashed filenames."""
    pass
StaticRootS3BotoStorage = lambda: CachedStaticS3BotoStorage(location='static')
oskargicast
  • 667
  • 1
  • 7
  • 14
0

It's weird behaviour: Google Docs previewer will work and display a preview without the parameters, but will say no preview available if boto appends the signature.

<iframe src="{% trans "https://docs.google.com/viewer?embedded=true&amp;url=" %}{{ document.file.url }}" width="451" height="390" style="border: none;"></iframe>

I must be missing something.

PierreS
  • 241
  • 2
  • 8
  • You need to encode the S3 Presigned URL before passing it to the Google Doc Viewer as it contains some special characters https://stackoverflow.com/questions/45147600/google-doc-viewer-doesnt-work-with-amazon-s3-signed-urls – Alexandre Paroissien Jun 09 '19 at 02:52