I'm using Django with the django-storages library to upload my model's files to S3 and need to add a policy to block direct downloading from the bucket's URLs.
I have achieved that by setting the policy below (check the Referer) but this resulted in a problem when I make use of the library's auto-rename function. My current policy:
{
"Version": "2012-10-17",
"Id": "Policy1542209806458",
"Statement": [
{
"Sid": "Block access globally except by the indicated referers.",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/subfolder/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://ref.localhost:8000/*",
"http://localhost:8000/*"
]
}
}
}
]
}
By debugging I found out that when the library tries to execute a HEAD request to get the existent file information (which will indicate the need for renaming) the response is a HTTP 403 error. I have tried including the Actions below (from other sources and the documentation) to have a more permissive access but the same problem persists.
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
]
I have no such problem when adding new files with unique names, only when renaming is necessary.