3 min read

Granting Temporary Access to S3 Objects

Unless you are hosting public files on S3, like your website’s static content, the chances are that you are going to keep your buckets private.

And that is great, but sometimes when working with private buckets, you may want to be able to allow access to someone else.

It could be for someone that doesn’t have privileges on that bucket, a different account, or maybe a customer who wants to download your latest software version.

It turns out there’s a way to grant temporary access to an S3 object in the form of a “pre-signed” URL.
A presigned URL allows whoever has this link to download the file from S3 and is valid for a certain amount of time. By default, it expires after an hour.

You can create presigned URLs in two ways:

  1. Using the AWS command line.
  2. The AWS SDK

I’ll walk you through two scenarios using these two methods, so you can get a better idea of how to use presigned URLs.

Using the command line

Let’s assume that you want to transfer a file from one AWS account to another but don’t want to mess around with IAM too much to create policies and then remember to remove them.

Or maybe you want to help out a co-worker doing an offline installation at a client’s office.

The fastest way to presign an object is by using the command:

aws s3 presign s3://pushbuildtestdeploy-demo/testing.txt

The result will be the URL:

https://pushbuildtestdeploy-demo.s3.us-east-1.amazonaws.com/testing.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA3WELLQWAIDZKOS6G%2F20201112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201112T115417Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=531d64a936d7556bd58605944674188a4ee7e52e408c0ad5686272ed11590f71

You can see that the URL is valid for 1 hour. Note that everyone who has this link has access to the file, so think carefully about how you share it with others.

If you want to set a different expiration add the “–expires-in” flag, which is followed by the number of seconds.

aws s3 presign s3://pushbuildtestdeploy-demo/testing.txt --expires-in 600

https://pushbuildtestdeploy-demo.s3.us-east-1.amazonaws.com/testing.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA3WELLQWAIDZKOS6G%2F20201112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201112T120242Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=fc4c38168d4b84a9127fa104ec6072284cc20012ead01ff5c54bfe04eca4993a

Note the Amz-Expires=600 parameter.

Using the SDK

There are, of course, a few use cases for using the SDK for allowing temporary access to S3 objects.

Suppose that you want to give access to a digital product to people who made a purchase. Instead of making the bucket entirely open for the world or writing logic to restrict the access somehow in your code, you can use the SDK to return a temporary download link.

In Python, it’s as simple as calling the method:

generate_presigned_url(ClientMethod, Params=None, ExpiresIn=3600, HttpMethod=None)

Now the user can log in to the dashboard and download the file.

This could also be useful when information is generated for each client, and you don’t want to make the bucket public.

Yes, it’s tough to guess a filename with a hash, but this could be another layer of protection.

Feeling overwhelmed with all the different tools and concepts in the DevOps world?

An email that dives deep into subjects that are all DevOps

    We won't send you spam. Unsubscribe at any time.
    Powered By ConvertKit