boto.exception.S3ResponseError：S3ResponseError：403禁止

Question

我試圖讓Django的靜態文件上傳到S3，但istead我得到一個403 Forbidden錯誤，我不知道爲什麼。

完整堆棧跟蹤：

Traceback (most recent call last): 
    File "manage.py", line 14, in <module> 
    execute_manager(settings) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 438, in execute_manager 
    utility.execute() 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 379, in execute 
    self.fetch_command(subcommand).run_from_argv(self.argv) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/base.py", line 191, in run_from_argv 
    self.execute(*args, **options.__dict__) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/base.py", line 220, in execute 
    output = self.handle(*args, **options) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/core/management/base.py", line 351, in handle 
    return self.handle_noargs(**options) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 89, in handle_noargs 
    self.copy_file(path, prefixed_path, storage, **options) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 184, in copy_file 
    if not self.delete_file(path, prefixed_path, source_storage, **options): 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 115, in delete_file 
    if self.storage.exists(prefixed_path): 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/storages/backends/s3boto.py", line 209, in exists 
    return k.exists() 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/boto/s3/key.py", line 391, in exists 
    return bool(self.bucket.lookup(self.name)) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/boto/s3/bucket.py", line 143, in lookup 
    return self.get_key(key_name, headers=headers) 
    File "/home/levi/Projects/DoneBox/.virtualenv/local/lib/python2.7/site-packages/boto/s3/bucket.py", line 208, in get_key 
    response.status, response.reason, '') 
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden 

settings.py的內容：

import os 
DIRNAME = os.path.dirname(__file__) 
# Django settings for DoneBox project. 

DEBUG = True 
TEMPLATE_DEBUG = DEBUG 

ADMINS = (
    # ('Your Name', 'your_email@example.com'), 
) 

MANAGERS = ADMINS 

DATABASES = { 
    'default': { 
     'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'postgresql', 'mysql', 'sqlite3' or 'oracle'. 
     'NAME': os.path.join(DIRNAME, "box.sqlite"),      # Or path to database file if using sqlite3. 
     'USER': '',      # Not used with sqlite3. 
     'PASSWORD': '',     # Not used with sqlite3. 
     'HOST': '',      # Set to empty string for localhost. Not used with sqlite3. 
     'PORT': '',      # Set to empty string for default. Not used with sqlite3. 
    } 
} 

# Local time zone for this installation. Choices can be found here: 
# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name 
# although not all choices may be available on all operating systems. 
# On Unix systems, a value of None will cause Django to use the same 
# timezone as the operating system. 
# If running in a Windows environment this must be set to the same as your 
# system time zone. 
TIME_ZONE = 'America/Denver' 

# Language code for this installation. All choices can be found here: 
# http://www.i18nguy.com/unicode/language-identifiers.html 
LANGUAGE_CODE = 'en-us' 

SITE_ID = 1 

# If you set this to False, Django will make some optimizations so as not 
# to load the internationalization machinery. 
USE_I18N = True 

# If you set this to False, Django will not format dates, numbers and 
# calendars according to the current locale 
USE_L10N = True 

# Absolute filesystem path to the directory that will hold user-uploaded files. 
# Example: "/home/media/media.lawrence.com/media/" 
MEDIA_ROOT = '' 

# URL that handles the media served from MEDIA_ROOT. Make sure to use a 
# trailing slash. 
# Examples: "http://media.lawrence.com/media/", "http://example.com/media/" 
MEDIA_URL = "d1eyn4cjl5vzx0.cloudfront.net" 

# Absolute path to the directory static files should be collected to. 
# Don't put anything in this directory yourself; store your static files 
# in apps' "static/" subdirectories and in STATICFILES_DIRS. 
# Example: "/home/media/media.lawrence.com/static/" 
STATIC_ROOT = os.path.join(DIRNAME, "static") 

# URL prefix for static files. 
# Example: "http://media.lawrence.com/static/" 
STATIC_URL = "d280kzug7l5rug.cloudfront.net" 

# URL prefix for admin static files -- CSS, JavaScript and images. 
# Make sure to use a trailing slash. 
# Examples: "http://foo.com/static/admin/", "/static/admin/". 
ADMIN_MEDIA_PREFIX = '/static/admin/' 

# Additional locations of static files 
STATICFILES_DIRS = (
    # Put strings here, like "/home/html/static" or "C:/www/django/static". 
    # Always use forward slashes, even on Windows. 
    # Don't forget to use absolute paths, not relative paths. 
    os.path.join(DIRNAME, "main", "static"), 
) 

# List of finder classes that know how to find static files in 
# various locations. 
STATICFILES_FINDERS = (
    'django.contrib.staticfiles.finders.FileSystemFinder', 
    'django.contrib.staticfiles.finders.AppDirectoriesFinder', 
    'django.contrib.staticfiles.finders.DefaultStorageFinder', 
) 

# Make this unique, and don't share it with anybody. 
SECRET_KEY = '<snip>' 

# List of callables that know how to import templates from various sources. 
TEMPLATE_LOADERS = (
    'django.template.loaders.filesystem.Loader', 
    'django.template.loaders.app_directories.Loader', 
    'django.template.loaders.eggs.Loader', 
) 

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware', 
    'django.contrib.sessions.middleware.SessionMiddleware', 
    'django.middleware.csrf.CsrfViewMiddleware', 
    'django.contrib.auth.middleware.AuthenticationMiddleware', 
    'django.contrib.messages.middleware.MessageMiddleware', 
) 

ROOT_URLCONF = 'DoneBox.urls' 

TEMPLATE_DIRS = (
    # Put strings here, like "/home/html/django_templates" or "C:/www/django/templates". 
    # Always use forward slashes, even on Windows. 
    # Don't forget to use absolute paths, not relative paths. 
    os.path.join(DIRNAME, "main", "templates"), 
    os.path.join(DIRNAME, "templates"), 
    os.path.join(DIRNAME, "basic", "blog", "templates"), 
) 

INSTALLED_APPS = (
    'django.contrib.auth', 
    'django.contrib.contenttypes', 
    'django.contrib.sessions', 
    'django.contrib.sites', 
    'django.contrib.messages', 
    'django.contrib.staticfiles', 
    'django.contrib.sitemaps', 
    # Uncomment the next line to enable the admin: 
    'django.contrib.admin', 
    # Uncomment the next line to enable admin documentation: 
    'storages', 
    'django.contrib.admindocs', 
    'main', 
    'contacts', 
    'piston', 
    'registration', 
# 'contact_form', 
    'basic', 
    'basic.blog', 
) 

# A sample logging configuration. The only tangible logging 
# performed by this configuration is to send an email to 
# the site admins on every HTTP 500 error. 
# See http://docs.djangoproject.com/en/dev/topics/logging for 
# more details on how to customize your logging configuration. 
LOGGING = { 
    'version': 1, 
    'disable_existing_loggers': False, 
    'handlers': { 
     'mail_admins': { 
      'level': 'ERROR', 
      'class': 'django.utils.log.AdminEmailHandler' 
     } 
    }, 
    'loggers': { 
     'django.request': { 
      'handlers': ['mail_admins'], 
      'level': 'DEBUG', 
      'propagate': True, 
     }, 
     'django.db.backends': { 
      'handlers': ['mail_admins'], 
      'level': 'DEBUG', 
      'propagate': True, 
     } 
    } 
} 

DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage' 
AWS_ACCESS_KEY_ID = '<snip>' 
AWS_SECRET_ACCESS_KEY = '<snip>' 
STATICFILES_STORAGE = 'storages.backends.s3boto.S3BotoStorage' 
AWS_STORAGE_BUCKET_NAME = "donebox-static" 
STATIC_FILES_BUCKET = "donebox-static" 
MEDIA_FILES_BUCKET = "donebox-media" 
ACCOUNT_ACTIVATION_DAYS = 7 

EMAIL_HOST = "email-smtp.us-east-1.amazonaws.com" 
EMAIL_HOST_USER = '<snip>' 
EMAIL_HOST_PASSWORD = '<snip>' 
EMAIL_PORT = 587 
EMAIL_USE_TLS = True 
TEMPLATE_CONTEXT_PROCESSORS = (
    "django.contrib.auth.context_processors.auth", 
    "django.core.context_processors.debug", 
    "django.core.context_processors.i18n", 
    "django.core.context_processors.media", 
    "django.core.context_processors.static", 
    "django.contrib.messages.context_processors.messages", 
    "DoneBox.main.context_processors_PandC", 
    ) 

requirements.pip的內容：

django==1.3 
django-storages==1.1.4 
django-registration==0.8 
django-piston==0.2.3 
django-tagging==0.3.1 
django-extensions==0.8 
BeautifulSoup==3.2.1 
boto==2.4.1 
mysql-python==1.2.3 
tweepy==1.9 
feedparser==5.1.2 
pycrypto==2.6 

谷歌搜索這個異常沒有任何有趣的東西。我懷疑我配置錯了，儘管我不確定。有人能指出我正確的方向嗎？感謝您的時間和考慮。

Answer 1

我使用Amazon IAM的特定密鑰ID和訪問密鑰，只是碰到了禁止同403 ...原來你需要給該目標都桶根及其子對象的權限：

{ 
    "Statement": [ 
    { 
     "Principal": { 
      "AWS": "*" 
     }, 
     "Effect": "Allow", 
     "Action": "s3:*", 
     "Resource": ["arn:aws:s3:::bucket-name/*", "arn:aws:s3:::bucket-name"] 
    } 
    ] 
} 

Answer 2

我會建議您嘗試單獨測試你的AWS證書來驗證證書是否的確需要權限讀取和寫入數據到S3桶。以下應該工作：

>>> import boto 
>>> s3 = boto.connect_s3('<access_key>', '<secret_key>') 
>>> bucket = s3.lookup('donebox-static') 
>>> key = bucket.new_key('testkey') 
>>> key.set_contents_from_string('This is a test') 
>>> key.exists() 
>>> key.delete() 

您應該嘗試與其他存儲桶（'donebox-media'）相同的測試。如果這有效，權限是正確的，問題在於Django存儲代碼或配置。如果失敗了403，那麼：

• 的access_key/SECRET_KEY字符串不正確
• 的access_key/SECRET_KEY是正確的，但該帳戶沒有必要的權限來寫入桶

我希望幫助。請報告你的發現。

Answer 3

我有同樣的問題，最後發現真正的問題是服務器時間。 配置錯誤，AWS響應403 FORBIDDEN。

使用Debian，你可以自動配置使用NTP：

ntpdate 0.pool.ntp.org

Answer 4

這也將是您的機器的時間設置不正確

Answer 5

如果這可以幫助任何人，我不得不添加了collectstatic以下配置條目工作，不返回403：

AWS_DEFAULT_ACL = '' 

Answer 6

另一種避免自定義策略和使用AWS預定義策略的解決方案：

• 將S3完全訪問權限添加到您的S3用戶。

  • IAM/用戶/權限和附加政策
  • 添加策略「AmazonS3FullAccess」

Answer 7

它也有可能是錯誤的憑據正在使用。爲了驗證：

import boto 
s3 = boto.connect_s3('<your access key>', '<your secret key>') 
bucket = s3.get_bucket('<your bucket>') # does this work? 
s3 = boto.connect_s3() 
s3.aws_access_key_id # is the same key being used by default? 

如果沒有，看看~/.boto，~/.aws/config和~/.aws/credentials。

Answer 8

這是用最小權限的細化。 在所有情況下，如所討論elsewheres3:ListAllMyBuckets是所有桶必要的。

在其默認的配置Django的存儲器將文件上傳到S3與公共讀取權限 - 見django-storages Amazon S3 backend

反覆試驗表明，在此默認配置所需的只有兩個權限s3:PutObject上傳的文件第一個和​​將該對象的權限設置爲public。

沒有額外的行動，因爲從該點向前讀是公開的對象總是需要的。

IAM用戶策略 - 大衆閱讀的（默認）：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": "s3:ListAllMyBuckets", 
      "Resource": "arn:aws:s3:::*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:PutObject", 
       "s3:PutObjectAcl" 
      ], 
      "Resource": "arn:aws:s3:::bucketname/*" 
     } 
    ] 
} 

並不總是希望有對象公開可讀。這是通過在設置文件中設置相關屬性來實現的。

Django的settings.py：

... 
AWS_DEFAULT_ACL = "private" 
... 

然後是​​不再需要和最小權限如下：

IAM用戶策略 - 私募：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": "s3:ListAllMyBuckets", 
      "Resource": "arn:aws:s3:::*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:PutObject", 
       "s3:GetObject" 
      ], 
      "Resource": "arn:aws:s3:::bucketname/*" 
     } 
    ] 
} 

Answer 9

也許你本身沒有獲得你想要查找/獲取/創建桶..

記住：桶名稱必須在整個S3生態系統獨特，因此，如果您嘗試訪問（查找/獲取/創建）名爲'test'的存儲桶將無法訪問它。