python - botocore.exceptions.ClientError:调用PutObject操作时发生错误(AccessDenied):访问被拒绝
问题描述
我正在使用django-dbbackup将我的 postgresql 数据库备份到我的 s3 存储桶。它通过以下设置连接到我的 S3 存储桶:
草稿1.settings.py
DBBACKUP_STORAGE = 'draft1.aws.utils.BackupRootS3BotoStorage'
DBBACKUP_S3_BUCKET = AWS_STORAGE_BUCKET_NAME
DBBACKUP_S3_ACCESS_KEY = AWS_ACCESS_KEY_ID
DBBACKUP_S3_SECRET_KEY = AWS_SECRET_ACCESS_KEY
Draft1.aws.utils
BackupRootS3BotoStorage = lambda: S3Boto3Storage(location='backup')
存储桶策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow All",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::****-bucket/*"
},
{
"Sid": "Deny All Actions On All But Media and Static Unless Defined User",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::********:root"
},
"Action": "s3:*",
"NotResource": [
"arn:aws:s3:::****-bucket/media/*",
"arn:aws:s3:::****-bucket/static/*",
"arn:aws:s3:::****-bucket/media_thumbnail/*"
]
}
]
}
如您所见,我正在尝试将其备份到backup
文件夹中。
完整错误:
Traceback (most recent call last):
File "manage.py", line 22, in <module>
execute_from_command_line(sys.argv)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/django/core/management/__init__.py", line 364, in execute_from_command_line
utility.execute()
File "/home/zorgan/postr/env/lib/python3.5/site-packages/django/core/management/__init__.py", line 356, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/django/core/management/base.py", line 283, in run_from_argv
self.execute(*args, **cmd_options)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/django/core/management/base.py", line 330, in execute
output = self.handle(*args, **options)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/dbbackup/utils.py", line 116, in wrapper
func(*args, **kwargs)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/dbbackup/management/commands/dbbackup.py", line 61, in handle
self._save_new_backup(database)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/dbbackup/management/commands/dbbackup.py", line 88, in _save_new_backup
self.write_to_storage(outputfile, filename)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/dbbackup/management/commands/_base.py", line 88, in write_to_storage
self.storage.write_file(file, path)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/dbbackup/storage.py", line 82, in write_file
self.storage.save(name=filename, content=filehandle)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/django/core/files/storage.py", line 54, in save
return self._save(name, content)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/storages/backends/s3boto3.py", line 452, in _save
self._save_content(obj, content, parameters=parameters)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/storages/backends/s3boto3.py", line 467, in _save_content
obj.upload_fileobj(content, ExtraArgs=put_parameters)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/boto3/s3/inject.py", line 513, in object_upload_fileobj
ExtraArgs=ExtraArgs, Callback=Callback, Config=Config)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/boto3/s3/inject.py", line 431, in upload_fileobj
return future.result()
File "/home/zorgan/postr/env/lib/python3.5/site-packages/s3transfer/futures.py", line 73, in result
return self._coordinator.result()
File "/home/zorgan/postr/env/lib/python3.5/site-packages/s3transfer/futures.py", line 233, in result
raise self._exception
File "/home/zorgan/postr/env/lib/python3.5/site-packages/s3transfer/tasks.py", line 126, in __call__
return self._execute_main(kwargs)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/s3transfer/tasks.py", line 150, in _execute_main
return_value = self._main(**kwargs)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/s3transfer/upload.py", line 692, in _main
client.put_object(Bucket=bucket, Key=key, Body=body, **extra_args)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/botocore/client.py", line 324, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/zorgan/postr/env/lib/python3.5/site-packages/botocore/client.py", line 622, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
知道问题是什么吗?
解决方案
我通过向s3:PutObjectAcl
IAM 策略添加权限解决了这个问题。
最新版本的boto3
& django-storages
(使用)在每次操作django-dbbackup
期间为每个对象设置默认 ACL 。PutObject
因此,您需要放置对象和更新 ACL 的权限。
这是基于问题中的示例策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow All",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::****-bucket/*"
}
]
}
推荐阅读
- mysql - 多个外键或多个表?
- javascript - 是否可以在 js 中创建一个不和谐的机器人,从邀请链接或服务器 ID 获取服务器的成员数?
- powerbi - 该表达式引用多个列。不能将多列转换为标量值。电源BI
- c# - Asp.Net 核心身份 - UserManager.Users.Any() 总是返回 false
- postgresql - Doctrine Join 与复合键
- outlook - 获取 Office 365 邮件 ID int Outlook 或 Web for Graph API
- python - 如何在灰度图像集上创建 keras conv2d 层
- firebase - 我试图重定向用户,但 this.$router.push('/') 给了我 undefined
- php - symfony 4 - 更改记录器输出路径
- python - 层 lstm_9 的输入 0 与层不兼容:预期 ndim=3,发现 ndim=4。收到的完整形状:[None, 300, 300, 1]