Presigned URLs
Learn how to grant temporary access to your S3 objects using a presigned URL.
Presigned URLs are used to grant temporary access to the bucket. It is a time-bound URL that can be used to share and upload objects in a bucket.
How to create a presigned URL
The presigned URL can be created by anyone with valid security credentials. However, the entity with those credentials should have permission to perform the functions the presigned URL is being used for. This entity can be an IAM profile, a user, or a security token service. To create a presigned URL we require:
Name of the S3 bucket
The object key (If we are downloading the object using the presigned URL, then this object should be in the bucket. Otherwise, this should be the name of the object being uploaded.
The HTTP method (GET for downloading and PUT for uploading)
The time interval after which the presigned URL expires
Expiration time
Presigned URLs grant temporary credentials and expire after the specified time. The AWS Management Console allows an expiration time of between 1 minute and 12 hours. However, while using the AWS CLI or AWS SDK, we can specify an expiration time of up to seven days.
If we are creating a presigned URL using a temporary security token, and it expires before the scheduled expiration or presigned URL, the URL will expire with the token. Also, if the URL expires while uploading or downloading an object, it will complete the upload and download.
Share objects using the presigned URL
Presigned URLs allow us to create URLs for GET method which can be used in a code through SDKs or pasted into a browser to download the object. This way, a bucket owner grants temporary access to other users who can have similar privileges as the bucket owner for a limited time. This means that other users can only get the object if the URL creator has permission to get the object. We can create a presigned URL to share objects using Amazon S3 console, AWS Explorer for Visual Studio, or AWS Toolkit for Visual Studio Code.
Upload objects using the presigned URL
Presigned URLs allow us to create URLs for PUT method, which can be used by a third party to upload objects to the bucket. The other users can only put objects in the bucket if the creator of the URL has the privileges to upload objects to the bucket. We can create the presigned URL to upload an object using AWS SDK and AWS Explorer for Visual Studio.
Securing presigned URLs
We have already discussed how presigned URLs can grant access to read and write bucket contents for up to seven days. They are only limited by the permissions of the user. This privilege can be easily exploited; thus, it is extremely important to secure a presigned URL.
To secure the presigned URLs, we can define bucket and access point policies to only accept the request with the Signature Version 4 (SigV4) less than 10 minutes old. The AWS Signature Version 4 (SigV4) is an AWS authentication mechanism for signing AWS API requests. SigV4 requires clients to include a cryptographic signature in their requests, which AWS services can verify to authenticate the request's origin and integrity.
Another way to restrict access using presigned URLs is network control. We can add IAM policies to only accept a request if it originates from a specific network ID.
Get hands-on with 1300+ tech skills courses.