Can't set S3 policy for HEAD operations (403 - Forbidden)

300 views Asked by At

I'm using Django with the django-storages library to upload my model's files to S3 and need to add a policy to block direct downloading from the bucket's URLs.

I have achieved that by setting the policy below (check the Referer) but this resulted in a problem when I make use of the library's auto-rename function. My current policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1542209806458",
    "Statement": [
        {
            "Sid": "Block access globally except by the indicated referers.",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket/subfolder/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "http://ref.localhost:8000/*",
                        "http://localhost:8000/*"
                    ]
                }
            }
        }
    ]
}

By debugging I found out that when the library tries to execute a HEAD request to get the existent file information (which will indicate the need for renaming) the response is a HTTP 403 error. I have tried including the Actions below (from other sources and the documentation) to have a more permissive access but the same problem persists.

"Action": [
    "s3:GetObject",
    "s3:GetObjectVersion",
    "s3:GetObjectAcl",
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:DeleteObject",
    "s3:DeleteObjectVersion"
]

I have no such problem when adding new files with unique names, only when renaming is necessary.

0

There are 0 answers