Getting Access Denied on S3 storage

Priority: High
Request: Getting Access Denied when accessing to media images stored on S3 - Production. See image: https://undercard-18898.s3.amazonaws.com/media/user_photo/userProfile_musk0rL.jpg. Issue seems to happen in Staging too.
Project ID: undercard-18898
Project Link:
Staging Link:
Additional Info:
cc @mayankkushal @shabeeb
https://undercard-18898.s3.amazonaws.com/media/user_photo/userProfile_musk0rL.jpg

Hi @jorge.m, thanks for reporting this.

Please make sure you are specifying correct object permissions when you upload them. Everyone should have Read access.

@dmitrii.k it was working till a few days back, this issue came recently

I see you have defined a custom storage backend based on BotoS3 and removed pre-signed URLs. I suggest you look into AWS_DEFAULT_ACL and put_object.

Your bucket is configured to be private by default, which will be the default ACL Boto3 inherits, unless you provide an alternative configuration (which you can set through environment variables also).

You’ve also recently updated your Pipfile.lock, which consequently updated Boto3 for you, and might have included this PR - [s3] Restore AWS_DEFAULT_ACL handling #934, which in turn brought back AWS_DEFAULT_ACL, that was removed back in 2018.

Looking at permissions set on the objects in your bucket, timestamps of objects with public-read not being set seem to align with this PR and Pipfile.lock update.

Try setting AWS_DEFAULT_ACL env var through your CB Dashboard to public-read and see if that rectifies the issue.

@mayankkushal @dmitrii.k I’ve added the variable AWS_DEFAULT_ACL with value public-read. However, I am still getting the issue :frowning:

I’ll check this @jorge.m. @dmitrii.k can I please get the keys for S3 so I can test this locally

@dmitrii.k just a follow up here. This is an issue in Production and we have some pressure from the client to fix it

@jorge.m, this setting will affect only the files you upload after you’ve set it, files that you’ve uploaded before this setting was set will remain with restricted access. I will set this variable on staging for you, too.

@mayankkushal, please refer to the documentation for Boto3 (links posted above), to make use of the AWS_DEFAULT_ACL env var, or update your code to specifically pass the permissions you want to set on files.

I’ll DM you temporary keys for your staging bucket.

@dmitrii.k I have tested with new files after setting the var. Same result…

@jorge.m, could you please share the link to the file? Looking at your bucket I see latest files uploaded over 24 hours ago.

@mayankkushal might need to modify his Boto3 configuration in order for your backend to start setting correct permissions on files.