django-storages: Error upload file. Use zappa+ lambda + s3 + django2 + RDS.

When I save in local it keeps me well in S3 but when it is running with lamda I get the following error. `

Request Method: POST
https://s5h4s4t98f.execute-api.us-west-2.amazonaws.com/dev/admin/publicidad/publicidad/add/
2.1.1
ClientError
An error occurred (InvalidToken) when calling the PutObject operation: The provided token is malformed or otherwise invalid.
/var/runtime/botocore/client.py in _make_api_call, line 612
/var/lang/bin/python3.6
3.6.1
[‘/var/task’, ‘/var/runtime/awslambda’, ‘/var/runtime’, ‘/var/lang/lib/python36.zip’, ‘/var/lang/lib/python3.6’, ‘/var/lang/lib/python3.6/lib-dynload’, ‘/var/lang/lib/python3.6/site-packages’, ‘/var/task/setuptools-39.1.0-py3.6.egg’, ‘/var/task’]
Lun, 24 Sep 2018 00:27:27 -0500

`

About this issue

  • Original URL
  • State: open
  • Created 6 years ago
  • Reactions: 5
  • Comments: 29 (3 by maintainers)

Commits related to this issue

Most upvoted comments

The issue appears to be the new behaviour of django-storages to automatically pull the AWS security token from environment variables.

AWS Lambda provides AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN as environment variables, taken from the execution role for Lambda which may not be the same credentials required by django-storages for S3 access. https://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html

I was able to fix the issue by subclassing S3Boto3Storage:

from storages.backends.s3boto3 import S3Boto3Storage


class SecurityTokenWorkaroundS3Boto3Storage(S3Boto3Storage):
    def _get_security_token(self):
        return None
+30
dpretty on Oct 2, 2018

I’m facing the same error using Django + Zappa + S3 Storages I can get this work only by removing the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from my settings.py

+4
guilhermej on May 29, 2019

removing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY solve this problem in my case.

+3
hongdoojung on Jan 5, 2021

Try to downgrade the installed version, it works for me.

pip install django-storages==1.6.6
+2
mongkok on Sep 29, 2018

Hi all. I just re-read through this thread. It seems the main thing is we don’t want to automatically pull the security token because it can be wrong sometimes. However, other users of Lambda rely on pulling the security token.

Does anyone have a link to documentation about why there are competing use-cases? We can add another storage or a setting once I understand the root problem.

+1
jschneier on Oct 30, 2021

I suppose the solution needs to be a django setting e.g. AWS_SECURITY_TOKEN_IGNORE_ENVIRONMENT which, when set to True won’t try and load the security token / session token from environment variables?

While AWS Lambda also populates the environment with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, django-storages allows these to be overridden in django settings. My setup generally has these loaded from the environment, but with a different variable name (e.g. AWS_APP_ACCESS_KEY_ID). However, it doesn’t feel right setting AWS_SESSION_TOKEN or AWS_SECURITY_TOKEN in django settings as these will change over time, so probably we should provide a django setting which instead allows the behaviour of loading the security token from the environment to be overridden.

+1
dpretty on Oct 2, 2018
Read more comments on GitHub
← django-storages: Azure - Authentication error when `AZURE_CUSTOM_DOMAIN` set to Azure CDN
django-storages: I can't upload image with dropbox SuspiciousFileOperation  →