boto.exception.S3ResponseError：S3ResponseError：403禁止

Question

我试图让Django的静态文件上传到S3，但istead我得到一个403 Forbidden错误，我不知道为什么。

完整堆栈跟踪：

Traceback (most recent call last): 
    File "manage.py", line 14, in <module> 
    execute_manager(settings) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 438, in execute_manager 
    utility.execute() 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 379, in execute 
    self.fetch_command(subcommand).run_from_argv(self.argv) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/base.py", line 191, in run_from_argv 
    self.execute(*args, **options.__dict__) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/base.py", line 220, in execute 
    output = self.handle(*args, **options) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/base.py", line 351, in handle 
    return self.handle_noargs(**options) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 89, in handle_noargs 
    self.copy_file(path, prefixed_path, storage, **options) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 184, in copy_file 
    if not self.delete_file(path, prefixed_path, source_storage, **options): 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 115, in delete_file 
    if self.storage.exists(prefixed_path): 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/storages/backends/s3boto.py", line 209, in exists 
    return k.exists() 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/boto/s3/key.py", line 391, in exists 
    return bool(self.bucket.lookup(self.name)) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/boto/s3/bucket.py", line 143, in lookup 
    return self.get_key(key_name, headers=headers) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/boto/s3/bucket.py", line 208, in get_key 
    response.status, response.reason, '') 
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden 

settings.py的内容：

import os 
DIRNAME = os.path.dirname(__file__) 
# Django settings for DoneBox project. 

DEBUG = True 
TEMPLATE_DEBUG = DEBUG 

ADMINS = (
    # ('Your Name', 'your_email@example.com'), 
) 

MANAGERS = ADMINS 

DATABASES = { 
    'default': { 
     'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'postgresql', 'mysql', 'sqlite3' or 'oracle'. 
     'NAME': os.path.join(DIRNAME, "box.sqlite"),      # Or path to database file if using sqlite3. 
     'USER': '',      # Not used with sqlite3. 
     'PASSWORD': '',     # Not used with sqlite3. 
     'HOST': '',      # Set to empty string for localhost. Not used with sqlite3. 
     'PORT': '',      # Set to empty string for default. Not used with sqlite3. 
    } 
} 

# Local time zone for this installation. Choices can be found here: 
# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name 
# although not all choices may be available on all operating systems. 
# On Unix systems, a value of None will cause Django to use the same 
# timezone as the operating system. 
# If running in a Windows environment this must be set to the same as your 
# system time zone. 
TIME_ZONE = 'America/Denver' 

# Language code for this installation. All choices can be found here: 
# http://www.i18nguy.com/unicode/language-identifiers.html 
LANGUAGE_CODE = 'en-us' 

SITE_ID = 1 

# If you set this to False, Django will make some optimizations so as not 
# to load the internationalization machinery. 
USE_I18N = True 

# If you set this to False, Django will not format dates, numbers and 
# calendars according to the current locale 
USE_L10N = True 

# Absolute filesystem path to the directory that will hold user-uploaded files. 
# Example: "/home/media/media.lawrence.com/media/" 
MEDIA_ROOT = '' 

# URL that handles the media served from MEDIA_ROOT. Make sure to use a 
# trailing slash. 
# Examples: "http://media.lawrence.com/media/", "http://example.com/media/" 
MEDIA_URL = "d1eyn4cjl5vzx0.cloudfront.net" 

# Absolute path to the directory static files should be collected to. 
# Don't put anything in this directory yourself; store your static files 
# in apps' "static/" subdirectories and in STATICFILES_DIRS. 
# Example: "/home/media/media.lawrence.com/static/" 
STATIC_ROOT = os.path.join(DIRNAME, "static") 

# URL prefix for static files. 
# Example: "http://media.lawrence.com/static/" 
STATIC_URL = "d280kzug7l5rug.cloudfront.net" 

# URL prefix for admin static files -- CSS, JavaScript and images. 
# Make sure to use a trailing slash. 
# Examples: "http://foo.com/static/admin/", "/static/admin/". 
ADMIN_MEDIA_PREFIX = '/static/admin/' 

# Additional locations of static files 
STATICFILES_DIRS = (
    # Put strings here, like "/home/html/static" or "C:/www/django/static". 
    # Always use forward slashes, even on Windows. 
    # Don't forget to use absolute paths, not relative paths. 
    os.path.join(DIRNAME, "main", "static"), 
) 

# List of finder classes that know how to find static files in 
# various locations. 
STATICFILES_FINDERS = (
    'django.contrib.staticfiles.finders.FileSystemFinder', 
    'django.contrib.staticfiles.finders.AppDirectoriesFinder', 
    'django.contrib.staticfiles.finders.DefaultStorageFinder', 
) 

# Make this unique, and don't share it with anybody. 
SECRET_KEY = '<snip>' 

# List of callables that know how to import templates from various sources. 
TEMPLATE_LOADERS = (
    'django.template.loaders.filesystem.Loader', 
    'django.template.loaders.app_directories.Loader', 
    'django.template.loaders.eggs.Loader', 
) 

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware', 
    'django.contrib.sessions.middleware.SessionMiddleware', 
    'django.middleware.csrf.CsrfViewMiddleware', 
    'django.contrib.auth.middleware.AuthenticationMiddleware', 
    'django.contrib.messages.middleware.MessageMiddleware', 
) 

ROOT_URLCONF = 'DoneBox.urls' 

TEMPLATE_DIRS = (
    # Put strings here, like "/home/html/django_templates" or "C:/www/django/templates". 
    # Always use forward slashes, even on Windows. 
    # Don't forget to use absolute paths, not relative paths. 
    os.path.join(DIRNAME, "main", "templates"), 
    os.path.join(DIRNAME, "templates"), 
    os.path.join(DIRNAME, "basic", "blog", "templates"), 
) 

INSTALLED_APPS = (
    'django.contrib.auth', 
    'django.contrib.contenttypes', 
    'django.contrib.sessions', 
    'django.contrib.sites', 
    'django.contrib.messages', 
    'django.contrib.staticfiles', 
    'django.contrib.sitemaps', 
    # Uncomment the next line to enable the admin: 
    'django.contrib.admin', 
    # Uncomment the next line to enable admin documentation: 
    'storages', 
    'django.contrib.admindocs', 
    'main', 
    'contacts', 
    'piston', 
    'registration', 
# 'contact_form', 
    'basic', 
    'basic.blog', 
) 

# A sample logging configuration. The only tangible logging 
# performed by this configuration is to send an email to 
# the site admins on every HTTP 500 error. 
# See http://docs.djangoproject.com/en/dev/topics/logging for 
# more details on how to customize your logging configuration. 
LOGGING = { 
    'version': 1, 
    'disable_existing_loggers': False, 
    'handlers': { 
     'mail_admins': { 
      'level': 'ERROR', 
      'class': 'django.utils.log.AdminEmailHandler' 
     } 
    }, 
    'loggers': { 
     'django.request': { 
      'handlers': ['mail_admins'], 
      'level': 'DEBUG', 
      'propagate': True, 
     }, 
     'django.db.backends': { 
      'handlers': ['mail_admins'], 
      'level': 'DEBUG', 
      'propagate': True, 
     } 
    } 
} 

DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage' 
AWS_ACCESS_KEY_ID = '<snip>' 
AWS_SECRET_ACCESS_KEY = '<snip>' 
STATICFILES_STORAGE = 'storages.backends.s3boto.S3BotoStorage' 
AWS_STORAGE_BUCKET_NAME = "donebox-static" 
STATIC_FILES_BUCKET = "donebox-static" 
MEDIA_FILES_BUCKET = "donebox-media" 
ACCOUNT_ACTIVATION_DAYS = 7 

EMAIL_HOST = "email-smtp.us-east-1.amazonaws.com" 
EMAIL_HOST_USER = '<snip>' 
EMAIL_HOST_PASSWORD = '<snip>' 
EMAIL_PORT = 587 
EMAIL_USE_TLS = True 
TEMPLATE_CONTEXT_PROCESSORS = (
    "django.contrib.auth.context_processors.auth", 
    "django.core.context_processors.debug", 
    "django.core.context_processors.i18n", 
    "django.core.context_processors.media", 
    "django.core.context_processors.static", 
    "django.contrib.messages.context_processors.messages", 
    "DoneBox.main.context_processors_PandC", 
    ) 

requirements.pip的内容：

django==1.3 
django-storages==1.1.4 
django-registration==0.8 
django-piston==0.2.3 
django-tagging==0.3.1 
django-extensions==0.8 
BeautifulSoup==3.2.1 
boto==2.4.1 
mysql-python==1.2.3 
tweepy==1.9 
feedparser==5.1.2 
pycrypto==2.6 

谷歌搜索这个异常没有任何有趣的东西。我怀疑我配置错了，尽管我不确定。有人能指出我正确的方向吗？感谢您的时间和考虑。

Answer 1

我使用Amazon IAM的特定密钥ID和访问密钥，只是碰到了禁止同403 ...原来你需要给该目标都桶根及其子对象的权限：

{ 
    "Statement": [ 
    { 
     "Principal": { 
      "AWS": "*" 
     }, 
     "Effect": "Allow", 
     "Action": "s3:*", 
     "Resource": ["arn:aws:s3:::bucket-name/*", "arn:aws:s3:::bucket-name"] 
    } 
    ] 
} 

Answer 2

我会建议您尝试单独测试你的AWS证书来验证证书是否的确需要权限读取和写入数据到S3桶。以下应该工作：

>>> import boto 
>>> s3 = boto.connect_s3('<access_key>', '<secret_key>') 
>>> bucket = s3.lookup('donebox-static') 
>>> key = bucket.new_key('testkey') 
>>> key.set_contents_from_string('This is a test') 
>>> key.exists() 
>>> key.delete() 

您应该尝试与其他存储桶（'donebox-media'）相同的测试。如果这有效，权限是正确的，问题在于Django存储代码或配置。如果失败了403，那么：

• 的access_key/SECRET_KEY字符串不正确
• 的access_key/SECRET_KEY是正确的，但该帐户没有必要的权限来写入桶

我希望帮助。请报告你的发现。

Answer 3

我有同样的问题，最后发现真正的问题是服务器时间。 配置错误，AWS响应403 FORBIDDEN。

使用Debian，你可以自动配置使用NTP：

ntpdate 0.pool.ntp.org

Answer 4

这也将是您的机器的时间设置不正确

Answer 5

如果这可以帮助任何人，我不得不添加了collectstatic以下配置条目工作，不返回403：

AWS_DEFAULT_ACL = '' 

Answer 6

另一种避免自定义策略和使用AWS预定义策略的解决方案：

• 将S3完全访问权限添加到您的S3用户。

  • IAM/用户/权限和附加政策
  • 添加策略“AmazonS3FullAccess”

Answer 7

它也有可能是错误的凭据正在使用。为了验证：

import boto 
s3 = boto.connect_s3('<your access key>', '<your secret key>') 
bucket = s3.get_bucket('<your bucket>') # does this work? 
s3 = boto.connect_s3() 
s3.aws_access_key_id # is the same key being used by default? 

如果没有，看看~/.boto，~/.aws/config和~/.aws/credentials。

Answer 8

这是用最小权限的细化。 在所有情况下，如所讨论elsewheres3:ListAllMyBuckets是所有桶必要的。

在其默认的配置Django的存储器将文件上传到S3与公共读取权限 - 见django-storages Amazon S3 backend

反复试验表明，在此默认配置所需的只有两个权限s3:PutObject上传的文件第一个和​​将该对象的权限设置为public。

没有额外的行动，因为从该点向前读是公开的对象总是需要的。

IAM用户策略 - 大众阅读的（默认）：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": "s3:ListAllMyBuckets", 
      "Resource": "arn:aws:s3:::*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:PutObject", 
       "s3:PutObjectAcl" 
      ], 
      "Resource": "arn:aws:s3:::bucketname/*" 
     } 
    ] 
} 

并不总是希望有对象公开可读。这是通过在设置文件中设置相关属性来实现的。

Django的settings.py：

... 
AWS_DEFAULT_ACL = "private" 
... 

然后是​​不再需要和最小权限如下：

IAM用户策略 - 私募：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": "s3:ListAllMyBuckets", 
      "Resource": "arn:aws:s3:::*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:PutObject", 
       "s3:GetObject" 
      ], 
      "Resource": "arn:aws:s3:::bucketname/*" 
     } 
    ] 
} 

Answer 9

也许你本身没有获得你想要查找/获取/创建桶..

记住：桶名称必须在整个S3生态系统独特，因此，如果您尝试访问（查找/获取/创建）名为'test'的存储桶将无法访问它。