具有IAM角色的Django Storage S3存储桶访问

I have an EC2 instance attached with an IAM Role. That role has full s3 access. The aws cli work perfectly, and so does the meta-data curl check to get the temporary Access and Secret keys.

我有一个附加了IAM角色的EC2实例。该角色具有完整的s3访问权限。 aws cli工作得很好,元数据卷曲检查也可以获得临时的Access和Secret密钥。

I have also read that when the Access and Secret keys are missing from the settings module, boto will automatically get the temporary keys from the meta-data url.

我还读到,当设置模块中缺少Access和Secret键时,boto将自动从元数据URL获取临时密钥。

I however cannot access the css/js files stored on the bucket via the browser. When I add a bucket policy allowing a principal of *, everything works.

但是我无法通过浏览器访问存储在存储桶中的css / js文件。当我添加一个允许*的主体的存储桶策略时,一切正常。

I tried the following policy:

我尝试了以下政策:

{
"Version": "2012-10-17",
"Id": "PolicyNUM",
"Statement": [
    {
        "Sid": "StmtNUM",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::account-id:role/my-role"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::my-bucket/*"
    }
]

}

But all css/js are still getting 403's. What can I change to make it work?

但是所有的css / js仍然是403。我可以改变什么来使它工作?

2 个解决方案

#1

Requests from your browser don't have the ability to send the required authz headers, which boto is handling for you elsewhere. The bucket policy cannot determine the principal and is correctly denying the request.

您的浏览器的请求无法发送所需的authz标头,boto正在其他地方为您处理。存储桶策略无法确定主体并正确拒绝请求。

Add another sid to Allow principle * access to everything under /public, for instance.

例如,添加另一个sid以允许原则*访问/ public下的所有内容。

#2

The reason is that AWS is setting your files to binary/octet-stream.

原因是AWS正在将您的文件设置为二进制/八位字节流。

check this solution to handle it.

检查此解决方案来处理它。

#1