What permissions does django-storages require for an s3 IAM user?

Question

As the question asks, what are the minimum required permissions for a locked down s3 IAM user to use django-storages successfully? At the present time I've used something like

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets"],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket",
                 "s3:GetBucketLocation",
                 "s3:ListBucketMultipartUploads",
                 "s3:ListBucketVersions"],
      "Resource": "arn:aws:s3:::bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:*Object*",
                 "s3:ListMultipartUploadParts",
                 "s3:AbortMultipartUpload"],
      "Resource": "arn:aws:s3:::bucket-name/*"
    }
  ]
}

Which may actually be overkill. Any further ideas?

One thing you may surely strip is the 's3:ListAllMyBuckets' action. S3 backend of django-storages would never get the list of your buckets. — vvd, Oct 24 '12 at 11:50

score 10 · Accepted Answer · edited Apr 18 '19 at 13:20

Fiver's answer is not enough to run collectstatic in django-storages. I used everything @jvc26 did except for s3:ListAllMyBuckets. I would assume s3:ListBucketVersions is not needed either.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket",
                 "s3:GetBucketLocation",
                 "s3:ListBucketMultipartUploads",
                 "s3:ListBucketVersions"],
      "Resource": "arn:aws:s3:::bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:*Object*",
                 "s3:ListMultipartUploadParts",
                 "s3:AbortMultipartUpload"],
      "Resource": "arn:aws:s3:::bucket-name/*"
    }
  ]
}

score 3 · Answer 2 · answered Aug 07 '13 at 01:28

I'm not 100% sure about django-storages, as I use cuddly-buddly which is based on the S3 portion of django-storages. I just found cuddlybuddly simpler to use and worked better, plus the name is awesome!

Anyway, I have a project using Django+S3 and found the following AWS policy as the minimum required for my project:

{
  "Version": "2008-10-17",
  "Id": "Policy123",
  "Statement": [
    {
      "Sid": "Stmt123",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::some-aws-user"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::bucket-name"
    },
    {
      "Sid": "Stmt234",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::some-aws-user"
      },
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::bucket-name/*"
    }
  ]
}

I have Django views that need to upload, retrieve, and delete so those corresponding actions can be used/omitted based on your needs. Obviously, anyone will need to change the user and bucket name.

Also, just for completeness as it wasn't obvious to me, note the following restrictions regarding AWS policies:

The maximum size of a policy is 20 KB

The value for Resource must be prefixed with the bucket name or the bucket name and a path under it (bucket/). If only the bucket name is specified, without the trailing /, the policy applies to the bucket.

Each policy must have a unique policy ID (Id)

Each statement in a policy must have a unique statement ID (sid)

Each policy must cover only a single bucket and resources within that bucket (when writing a policy, don't include statements that refer to other buckets or resources in other buckets)

Finally, to anyone tempted to do so, don't change the date value in the Version key, Amazon uses this value to parse the policy format.

Hope this helps!

score 2 · Answer 3 · answered Jun 28 '20 at 03:31

2

Refer to official Django Storages official documentation here: https://django-storages.readthedocs.io/en/latest/backends/amazon-S3.html#iam-policy

You can simply copy and paste that permission into you IAM policy.

answered Jun 28 '20 at 03:31

sdil

41
1
5

score 0 · Answer 4 · answered Jan 25 '15 at 14:32

that works for me:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions"
            ],
            "Resource": "arn:aws:s3:::bucket_name_here"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*Object*",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "arn:aws:s3:::bucket_name_here/*"
        }
    ]
}

score 0 · Answer 5 · answered May 31 '21 at 18:45

0

I think no matter you use IAM, or other type of permissions, a worldwide read access should be given. So I got succeeded with this configuration:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::buuuuu",
                "arn:aws:s3:::buuuuu/*"
            ]
        }
    ]
}

answered May 31 '21 at 18:45

Raymond Reddington

1,709
1
13
21

It still depends. For example, if you want to use presigned urls and have control over who have access to your objects on application level, you definitely don't want to give public GetObject to everyone. – wisp Jun 04 '21 at 07:01

What permissions does django-storages require for an s3 IAM user?

5 Answers5

Linked