pythondjangoaws-lambdazappaaws-permissions

(DJANGO + S3) + ZAPPA An error occurred (400) when calling the HeadObject operation: Bad Request


I have a project with django and s3(acl enable private, public), the deployment is done with zappa when i try to upload a file to a specific s3 bucket through the django admin. i got the following error

error:

ClientError at /admin/main/document/1/change/
An error occurred (400) when calling the HeadObject operation: Bad Request
Request Method: POST
Request URL:    https://xxxxx.execute-api.us-east-1.amazonaws.com/prd/admin/main/document/1/change/
Django Version: 3.2.3
Exception Type: ClientError
Exception Value:    
An error occurred (400) when calling the HeadObject operation: Bad Request
Exception Location: /var/runtime/botocore/client.py, line 719, in _make_api_call
Python Executable:  /var/lang/bin/python3.8
Python Version: 3.8.13
Python Path:    
['/var/task',
 '/opt/python/lib/python3.8/site-packages',
 '/opt/python',
 '/var/runtime',
 '/var/lang/lib/python38.zip',
 '/var/lang/lib/python3.8',
 '/var/lang/lib/python3.8/lib-dynload',
 '/var/lang/lib/python3.8/site-packages',
 '/opt/python/lib/python3.8/site-packages',
 '/var/task',
 '/var/task/odf',
 '/var/task/odf',
 '/var/task/odf',
 '/var/task/odf',
 '/var/task/odf',
 '/var/task/odf',
 '/var/task/odf']
Server time:    Wed, 17 Aug 2022 05:20:25 +0000

/var/task/storages/backends/s3boto3.py, line 469, in exists
            self.connection.meta.client.head_object(Bucket=self.bucket_name, Key=name) 

zappa_settings.json

{
    "prd": {
        "aws_region": "us-east-1",
        "django_settings": "xxx.settings",
        "profile_name": "default",
        "project_name": "xxxx",
        "runtime": "python3.8",
        "s3_bucket": "zappa-xxx-prd",
        "environment_variables": {
            "AWS_DEFAULT_REGION": "us-east-1",
            "AWS_S3_ACCESS_KEY_ID": "xxxxxxx",
            "AWS_S3_SECRET_ACCESS_KEY": "xxxxxx",
            "AWS_ACCESS_KEY_ID": "xxxxx",
            "AWS_SECRET_ACCESS_KEY": "xxxxxx"
        }
    }
}

user -> aws configure had a next general policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:*",
                "s3:*",
                "events:*",
                "iam:CreateServiceSpecificCredential",
                "iam:GetRole",
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "apigateway:PUT",
                "apigateway:DELETE",
                "apigateway:PATCH",
                "apigateway:POST",
                "apigateway:GET",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStacks",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:UpdateStack",
                "cloudformation:ListStackResources"
            ],
            "Resource": "*"
        }
    ]
}

Zappa lambda execution role default:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:*"
            ],
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        }
    ]
}

Bucket static acl policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::xxxx-prd-statics/*"
        }
    ]
}

requirements.txt

boto3==1.18.5
botocore==1.21.5
certifi==2021.5.30
click==8.0.1
decorator==5.0.9
Django==3.2.3
django-cors-headers==3.7.0
django-extensions==3.1.3
django-filter==2.4.0
django-import-export==2.5.0
djangorestframework==3.12.4
pip-tools==6.2.0
graphene==2.1.9
graphene-file-upload==1.3.0
psycopg2==2.8.6
psycopg2-binary==2.8.6
python-dateutil==2.8.2
PyYAML==5.4.1
requests==2.26.0
Pillow==9.0.1
zappa==0.55.0
PyJWT==v1.7.1
text-unidecode==1.3
django-graphql-jwt==0.3.0
django-graphql-auth==0.3.14
django-admin-interface==0.18.7
django-storages==1.12.3
django-mptt==0.13.4
awscli==1.20.5

please if someone knows how to solve it, I thank you, I do not have much knowledge with aws permissions.


Solution

  • My solution was to remove the following properties from zappa_settings.json and settings.py

     "AWS_S3_ACCESS_KEY_ID": "xxxxxxx",
     "AWS_S3_SECRET_ACCESS_KEY": "xxxxxx",
     "AWS_ACCESS_KEY_ID": "xxxxx",
     "AWS_SECRET_ACCESS_KEY": "xxxxxx"