Can't set S3 policy for HEAD operations (403 - Forbidden)
I'm using Django
with the django-storages
library to upload my model's files to S3 and need to add a policy to block direct downloading from the bucket's URLs.
I have achieved that by setting the policy below (check the Referer
) but this resulted in a problem when I make use of the library's auto-rename function. My current policy:
{
"Version": "2012-10-17",
"Id": "Policy1542209806458",
"Statement": [
{
"Sid": "Block access globally except by the indicated referers.",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/subfolder/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://ref.localhost:8000/*",
"http://localhost:8000/*"
]
}
}
}
]
}
By debugging I found out that when the library tries to execute a HEAD
request to get the existent file information (which will indicate the need for renaming) the response is a HTTP 403 error. I have tried including the Action
s below (from other sources and the documentation) to have a more permissive access but the same problem persists.
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
]
I have no such problem when adding new files with unique names, only when renaming is necessary.
amazon-web-services amazon-s3 amazon-policy
add a comment |
I'm using Django
with the django-storages
library to upload my model's files to S3 and need to add a policy to block direct downloading from the bucket's URLs.
I have achieved that by setting the policy below (check the Referer
) but this resulted in a problem when I make use of the library's auto-rename function. My current policy:
{
"Version": "2012-10-17",
"Id": "Policy1542209806458",
"Statement": [
{
"Sid": "Block access globally except by the indicated referers.",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/subfolder/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://ref.localhost:8000/*",
"http://localhost:8000/*"
]
}
}
}
]
}
By debugging I found out that when the library tries to execute a HEAD
request to get the existent file information (which will indicate the need for renaming) the response is a HTTP 403 error. I have tried including the Action
s below (from other sources and the documentation) to have a more permissive access but the same problem persists.
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
]
I have no such problem when adding new files with unique names, only when renaming is necessary.
amazon-web-services amazon-s3 amazon-policy
Setting"Action": "*"
also does not solve the problem. The only way it worked was by removing the policy.
– icarovirtual
Nov 19 '18 at 17:38
add a comment |
I'm using Django
with the django-storages
library to upload my model's files to S3 and need to add a policy to block direct downloading from the bucket's URLs.
I have achieved that by setting the policy below (check the Referer
) but this resulted in a problem when I make use of the library's auto-rename function. My current policy:
{
"Version": "2012-10-17",
"Id": "Policy1542209806458",
"Statement": [
{
"Sid": "Block access globally except by the indicated referers.",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/subfolder/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://ref.localhost:8000/*",
"http://localhost:8000/*"
]
}
}
}
]
}
By debugging I found out that when the library tries to execute a HEAD
request to get the existent file information (which will indicate the need for renaming) the response is a HTTP 403 error. I have tried including the Action
s below (from other sources and the documentation) to have a more permissive access but the same problem persists.
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
]
I have no such problem when adding new files with unique names, only when renaming is necessary.
amazon-web-services amazon-s3 amazon-policy
I'm using Django
with the django-storages
library to upload my model's files to S3 and need to add a policy to block direct downloading from the bucket's URLs.
I have achieved that by setting the policy below (check the Referer
) but this resulted in a problem when I make use of the library's auto-rename function. My current policy:
{
"Version": "2012-10-17",
"Id": "Policy1542209806458",
"Statement": [
{
"Sid": "Block access globally except by the indicated referers.",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/subfolder/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://ref.localhost:8000/*",
"http://localhost:8000/*"
]
}
}
}
]
}
By debugging I found out that when the library tries to execute a HEAD
request to get the existent file information (which will indicate the need for renaming) the response is a HTTP 403 error. I have tried including the Action
s below (from other sources and the documentation) to have a more permissive access but the same problem persists.
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
]
I have no such problem when adding new files with unique names, only when renaming is necessary.
amazon-web-services amazon-s3 amazon-policy
amazon-web-services amazon-s3 amazon-policy
asked Nov 19 '18 at 17:05
icarovirtualicarovirtual
479720
479720
Setting"Action": "*"
also does not solve the problem. The only way it worked was by removing the policy.
– icarovirtual
Nov 19 '18 at 17:38
add a comment |
Setting"Action": "*"
also does not solve the problem. The only way it worked was by removing the policy.
– icarovirtual
Nov 19 '18 at 17:38
Setting
"Action": "*"
also does not solve the problem. The only way it worked was by removing the policy.– icarovirtual
Nov 19 '18 at 17:38
Setting
"Action": "*"
also does not solve the problem. The only way it worked was by removing the policy.– icarovirtual
Nov 19 '18 at 17:38
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53379507%2fcant-set-s3-policy-for-head-operations-403-forbidden%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53379507%2fcant-set-s3-policy-for-head-operations-403-forbidden%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Setting
"Action": "*"
also does not solve the problem. The only way it worked was by removing the policy.– icarovirtual
Nov 19 '18 at 17:38