AWS S3 Bucket Django 3.0 User Profile Image Upload Access ERROR

Question

INTRO

• I am following this guide as recommended, here is the guide's GitHub repo.
• I have created an AmazonS3FullAccess to it as well
• I am using the guide's 3rd example "Mixing public assets and private assets" with static, media public, media, private version.
• If the user log in (local development environment) he Upload Files from the website but he can NOT access them from the website only from the AWS S3 management website.
• Currently I am blocking all public access as it is in the guide (AWS S3 management panel settings)
• I have added these lines to my CORS configuration editor from this other guide

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

• Switched on a central EU server that is more local to me. NOT worked I got the same error.

storage_backends.py

from django.conf import settings
from storages.backends.s3boto3 import S3Boto3Storage

class StaticStorage(S3Boto3Storage):
    location = settings.AWS_STATIC_LOCATION

class PublicMediaStorage(S3Boto3Storage):
    location = settings.AWS_PUBLIC_MEDIA_LOCATION
    file_overwrite = False

class PrivateMediaStorage(S3Boto3Storage):
    location = settings.AWS_PRIVATE_MEDIA_LOCATION
    default_acl = 'private'
    file_overwrite = False
    custom_domain = False

settings.py

STATICFILES_DIRS = [os.path.join(BASE_DIR, 'MYPROJECTS_MAIN_APP/static'),]

AWS_ACCESS_KEY_ID = 'DSHUGASGHLASF678FSHAFH'
AWS_SECRET_ACCESS_KEY = 'uhsdgahsfgskajgjkafgjkdfjkgkjdfgfg'
AWS_STORAGE_BUCKET_NAME = 'MYSTORAGE289377923'
AWS_S3_CUSTOM_DOMAIN = '%s.s3.amazonaws.com' % AWS_STORAGE_BUCKET_NAME

AWS_S3_OBJECT_PARAMETERS = {
    'CacheControl': 'max-age=86400',
}

AWS_STATIC_LOCATION = 'static'
STATICFILES_STORAGE = 'mysite.storage_backends.StaticStorage'
STATIC_URL = "https://%s/%s/" % (AWS_S3_CUSTOM_DOMAIN, AWS_STATIC_LOCATION)

AWS_PUBLIC_MEDIA_LOCATION = 'media/public'
DEFAULT_FILE_STORAGE = 'mysite.storage_backends.PublicMediaStorage'

AWS_PRIVATE_MEDIA_LOCATION = 'media/private'
PRIVATE_FILE_STORAGE = 'mysite.storage_backends.PrivateMediaStorage'

AWS_S3_HOST = "s3.eu-central-1.amazonaws.com"
S3_USE_SIGV4 = True
AWS_S3_REGION_NAME = "eu-central-1"

models.py

from django.db import models
from django.conf import settings
from django.contrib.auth.models import User

from mysite.storage_backends import PrivateMediaStorage


class Document(models.Model):
    uploaded_at = models.DateTimeField(auto_now_add=True)
    upload = models.FileField()


class PrivateDocument(models.Model):
    uploaded_at = models.DateTimeField(auto_now_add=True)
    upload = models.FileField(storage=PrivateMediaStorage())
    user = models.ForeignKey(User, related_name='documents')

views.py

from django.contrib.auth.decorators import login_required
from django.views.generic.edit import CreateView
from django.urls import reverse_lazy
from django.utils.decorators import method_decorator

from .models import Document, PrivateDocument


class DocumentCreateView(CreateView):
    model = Document
    fields = ['upload', ]
    success_url = reverse_lazy('home')

    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
        documents = Document.objects.all()
        context['documents'] = documents
        return context


@method_decorator(login_required, name='dispatch')
class PrivateDocumentCreateView(CreateView):
    model = PrivateDocument
    fields = ['upload', ]
    success_url = reverse_lazy('profile')

    def form_valid(self, form):
        self.object = form.save(commit=False)
        self.object.user = self.request.user
        self.object.save()
        return super().form_valid(form)

ERROR

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>56fg67dfg56df7g67df</RequestId>
<HostId>
hsiugYIGYfhuieHF7weg68g678dsgds78g67dsg86sdg68ds7g68ds7yfsd8f8hd7
</HostId>
</Error>

Things That I have Tried So Far

• There was an in between period where it have created the AWS link and also added the file to a local "media" folder. But since I have deleted the"Media folder" and it only creates URL links, and actually uploads them to the S3 bucket
• I have found the same question on aws forum but it has not been answered
• Access rights Django + AWS S3 Bucket: Authenticated Access to S3 Bucket (I don't understand this answer https://stackoverflow.com/a/21614550/10270590 )
• "use AWS4-HMAC-SHA256"
  • Specifying region of the S3 host to the correct usage https://github.com/aws/aws-sdk-js/issues/829
  • site to look up your region - https://docs.aws.amazon.com/general/latest/gr/rande.html
  • I have also received this as a recommendation "Most new regions only support AWS4-HMAC-SHA256 - if your code doesn't support this authentication scheme and only created "v2 signatures" create your bucket in one of the old regions, e.g. in Europe it seems to be only Ireland - check it out here: https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html"
  • I am in the European Union with my testing machine - and I set up a USA base S3 bucket - how can I configure the Django app OR the AWS S3 Bucket so it will allow it to be accessed from anywhere (it would be especially important that the app is deployed that from around the world people can access it). A guy from the same video's comment section commented the the following Steve D Great video series, just to say I am using an S3 bucket in Europe and needed to add additional settings AWS_S3_HOST = "s3.eu-west-2.amazonaws.com" and AWS_S3_REGION_NAME="eu-west-2" to make it work
• This was the exact code I have added to the settings based on and in addition to the original Guide's code. When I switch images it works but when I leave profile settings and go back the image disappears and gives the original error):

AWS_S3_HOST = "s3.eu-central-1.amazonaws.com"
S3_USE_SIGV4 = True
AWS_S3_REGION_NAME = "eu-central-1"

• TRURNING OFF all Access restriction (Temporarily) and adding Bucket policies to AWS S3 Management consol
  • 1 CODE: { "Version":"2012-10-17", "Statement":[{ "Sid":"PublicReadGetObject", "Effect":"Allow", "Principal": "", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::myprojectname_that_jsut_abow_this_field/*" ] } ] } --> ERORR
  • 2 CODE: { "Version":"2012-10-17", "Statement":[{ "Sid":"PublicReadGetObject", "Effect":"Allow", "Principal": "", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::myprojectname_that_jsut_abow_this_field/" ] } ] }/* --> ERORR
  • 3 CODE: I have changed to this { "Version":"2012-10-17", "Statement":[{ "Sid":"PublicReadGetObject", "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"], "Resource":"arn:aws:s3:::myprojectname_that_jsut_abow_this_field/*" } ] } and got the following error: Error Access denied
  • 4 CODE: { "Version":"2012-10-17", "Statement":[{ "Sid":"PublicReadGetObject", "Effect":"Allow", "Principal": "", "Action":["s3:GetObject"], "Resource":"arn:aws:s3:::myprojectname_that_jsut_abow_this_field/*" } ] } ERROR: Error Missing required field Principal cannot be empty!

Answer 1

Not sure if you are still trying the issue.

You can try adding a parameter: AWS_DEFAULT_ACL = 'public-read' in your setting.py

Delete all the previously uploaded files in your bucket.

Re-upload media and static files.

See if it works.

Answer 2

In the AWS console, click the "Permissions" tab, then on the

1. allow public access to your bucket -> Save -> Confirm it
2. "Bucket policy" button. An editing box will appear. Replace the "arn:aws:s3:::" in the editing box with the part starting with "arn:" shown above your editing box, but be careful to preserve the "/*" at the end of it. Use the following code bellow. Paste in the following:

 {
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
        "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::your-buckt-arn/*"
      ]
    }
  ]
}