AWS Elastic Beanstalk Python Django S3 Access Denied cannot upload / read file

Question

I have deployed Python Django server on AWS Elastic Beanstalk. This is how my settings.py file looks like:

# aws settings
AWS_ACCESS_KEY_ID = os.getenv('AWS_ACCESS_KEY_ID')
AWS_SECRET_ACCESS_KEY = os.getenv('AWS_SECRET_ACCESS_KEY')
AWS_STORAGE_BUCKET_NAME = os.getenv('AWS_STORAGE_BUCKET_NAME')
AWS_DEFAULT_ACL = None
AWS_S3_CUSTOM_DOMAIN = f'{AWS_STORAGE_BUCKET_NAME}.s3.amazonaws.com'
AWS_S3_OBJECT_PARAMETERS = {'CacheControl': 'max-age=86400'}
# s3 static settings
STATIC_URL = '/staticfiles/'
STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
# s3 public media settings
PUBLIC_MEDIA_LOCATION = 'media'
MEDIA_URL = f'https://{AWS_S3_CUSTOM_DOMAIN}/{PUBLIC_MEDIA_LOCATION}/'
DEFAULT_FILE_STORAGE = 'hello_django.storage_backends.PublicMediaStorage'
# s3 private media settings
PRIVATE_MEDIA_LOCATION = 'private'
PRIVATE_FILE_STORAGE = 'hello_django.storage_backends.PrivateMediaStorage'

In AWS I created IAM user with AmazonS3FullAccess permission, and I use his AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in settings.

The problem is that when I try to read media file from the file link I always get "Access denied" error, even if I specify PublicMediaStorage and give all public access on S3 bucket.

Also, when I upload file, the folder (e.g 'media') in bucket does not get created.

Do you have idea what could the problem ?

question from:https://stackoverflow.com/questions/66053133/aws-elastic-beanstalk-python-django-s3-access-denied-cannot-upload-read-file

Answer 1

How about assigning an IAM role to Elastic BeanStalk's IAM instance profile? Using IAM roles is more secured than committing your AWS_KEYS in your code.

See -

• How can I access an Amazon S3 bucket from an application running on an Elastic Beanstalk instance?
• How can I grant users the minimum set of Amazon S3 permissions required to access an Elastic Beanstalk environment?

Content of the first link-

Validate permissions for your instance profile

1. Open the Elastic Beanstalk console.
2. Select your environment.
3. From the navigation menu, choose Configuration.
4. In the Configuration overview section, from the Category column, for Security, choose Modify.
5. From the IAM instance profile menu, note the name of your instance profile.
6. Open the IAM console.
7. In the navigation pane, choose Roles.
8. In the search box, enter the name of your instance profile from step 5.
9. Verify that the role from step 8 has the required Amazon S3 permissions for the bucket that you want to access.

Validate permissions for your S3 bucket

1. Open the Amazon S3 console.
2. From the list of buckets, choose the bucket with the bucket policy that you want to change.
3. Choose the Permissions tab.
4. Choose Bucket Policy.
5. Search for "Effect": "Deny" statements.
6. In your bucket policy, edit or remove any "Effect": "Deny" statements that are denying the IAM instance profile access to your role.