How is AWS_DEFAULT_ACL supposed to be used in django-storages?

Question

I'm a bit of a newbie to django-storages and I'm confused about the purpose of its AWS_DEFAULT_ACL settings variable. I gather that when it's set to None, the bucket policy on my AWS S3 bucket will be honored. That seems to indeed be true.

I've turned off public access to my bucket and am using the following bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1621539673651",
    "Statement": [
        {
            "Sid": "Stmt1621539665305",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::063896663644:user/mylogin"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::mybucket/*"
        },
        {
            "Sid": "Stmt1621539600741",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/static/*"
        }
    ]
}

I can run python manage.py collectstatic and it uploads files without an issue.

However, if I change AWS_DEFAULT_ACL to 'public-read', I get errors when running collectstatic.

Copying '/Users/dylan/Dev/myapp/static/css/bootstrap-datetimepicker.css'
Traceback (most recent call last):
  File "/Users/dylan/Dev/myapp/./manage.py", line 15, in <module>
    execute_from_command_line(sys.argv)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/django/core/management/__init__.py", line 401, in execute_from_command_line
    utility.execute()
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/django/core/management/__init__.py", line 395, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/django/core/management/base.py", line 330, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/django/core/management/base.py", line 371, in execute
    output = self.handle(*args, **options)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 194, in handle
    collected = self.collect()
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 118, in collect
    handler(path, prefixed_path, storage)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 355, in copy_file
    self.storage.save(prefixed_path, source_file)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/django/core/files/storage.py", line 52, in save
    return self._save(name, content)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/storages/backends/s3boto3.py", line 447, in _save
    obj.upload_fileobj(content, ExtraArgs=params)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/boto3/s3/inject.py", line 619, in object_upload_fileobj
    return self.meta.client.upload_fileobj(
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/boto3/s3/inject.py", line 539, in upload_fileobj
    return future.result()
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/s3transfer/futures.py", line 106, in result
    return self._coordinator.result()
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/s3transfer/futures.py", line 265, in result
    raise self._exception
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/s3transfer/tasks.py", line 126, in __call__
    return self._execute_main(kwargs)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/s3transfer/tasks.py", line 150, in _execute_main
    return_value = self._main(**kwargs)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/s3transfer/upload.py", line 694, in _main
    client.put_object(Bucket=bucket, Key=key, Body=body, **extra_args)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/botocore/client.py", line 386, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/dylan/.local/share/virtualenvs/myapp-MCS7ouoX/lib/python3.9/site-packages/botocore/client.py", line 705, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

1. Is AWS_DEFAULT_ACL meant to be used only if you make your bucket public to all?
2. If set, does it apply the given ACL (e.g. 'public-read') to uploaded files?
3. With 'public-read' set, can I not run collectstatic?

[I'm exploring all this because I'm having troubles making my static files available to all and wondered if AWS_DEFAULT_ACL might help.]

The documentation hasn't helped, and I'm quite confused about how the system is meant to work as you can probably tell...

Answer 1

I am sure you've found the answer to your question by now or found a way around. Just for the people ending up here searching for answer to what AWS_DEFAULT_ACL means, here is what the docs for django-storages say:

AWS_DEFAULT_ACL (optional; default is None which means the file will be private per Amazon’s defalt)

Use this to set an ACL on your file such as public-read. If not set the file will be private per Amazon’s defau