AWS S3 and Django returns "An error occurred (AccessDenied) when calling the PutObject operation"

Question

I am trying to set up media and static files storage in an AWS S3 bucket, in a Django app, and am getting the following error when I try to run python manage.py collectstatic to put the static files into the bucket:

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

I am running boto3 and django storages. I have trawled through the other answers on here and tried the ideas in there first. My access key etc is correct as I can connect to SES OK. I have CORS configured in the bucket.

My bucket policy is

{
"Id": "Policyxxx",
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmtxxx",
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bucketname/*",
            "arn:aws:s3:::bucketname"
        ],
        "Principal": {
            "AWS": [
                "arn:aws:iam::xxxx:user/xxxx"
            ]
        }
    }
]
}

My IAM user has AmazonS3FullAccess as below:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    }
]
}

I have also tried creating my own policy and attaching that to the IAM user as follows:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::bucketname",
            "arn:aws:s3:::bucketname/*"
        ]
    }
]
}

None of these work so I am clearly missing something.

Answer 1

I had an issue that it ignored

AWS_S3_ACCESS_KEY_ID = os.environ.get("Someothername1", "")
AWS_S3_SECRET_ACCESS_KEY = os.environ.get("Someothername2", "")

in django settings, but when I set environmental variables AWS_S3_ACCESS_KEY_ID and AWS_S3_SECRET_ACCESS_KEY it started working. Because in _get_access_keys function they only search for environmental variables, ignoring settings.

def _get_access_keys(self):
    """
    Gets the access keys to use when accessing S3. If none is
    provided in the settings then get them from the environment
    variables.
    """
    access_key = self.access_key or lookup_env(self.access_key_names)
    secret_key = self.secret_key or lookup_env(self.secret_key_names)
    return access_key, secret_key

Answer 2

I had the same error. And, unlike you, I was using the right user with proper IAM policies.

In the output of :

python manage.py collectstatic 

before the AccessDenied stack error, I could read this message from django-storage lib :

UserWarning: The default behavior of S3Boto3Storage is insecure and will change in django-storages 2.0. By default files and new buckets are saved with an ACL of 'public-read' (globally publicly readable). Version 2.0 will default to using the bucket's ACL. To opt into the new behavior set AWS_DEFAULT_ACL = None, otherwise to silence this warning explicitly set AWS_DEFAULT_ACL. "The default behavior of S3Boto3Storage is insecure and will change "

This led me to try it.

By setting :

AWS_DEFAULT_ACL = None

Then, the static files were collected in the bucket.