- Newest
- Most votes
- Most comments
using pre-signed URLs is the safest way for an application running outside of AWS to consume an object stored in an S3 bucket via GET. Here's a breakdown of pre-signed URLs and how they work:
Pre-Signed URLs: A pre-signed URL is a temporary URL generated by AWS that grants access to a specific S3 object for a defined period and with specific permissions. It includes the S3 object key (name), security credentials, and expiration time.
When your application outside of AWS uses this URL to access the object, it doesn't need to store any long-term AWS credentials itself.
Some key benefits of Pre-Signed URLs:
Security: By using pre-signed URLs, you avoid storing long-term access keys or secrets in your application code. This reduces the risk of compromising your S3 bucket if your application is compromised.
Granular Control: You can define specific permissions for the pre-signed URL, such as allowing only GET requests and setting an expiration time. This restricts what actions can be performed on the object using the URL.
Flexibility: You can generate pre-signed URLs dynamically based on user needs or object access requirements.
Generate Pre-Signed URL: 1/ Your application code running outside of AWS uses the AWS SDK (available in various languages) to generate a pre-signed URL for the S3 object. This involves specifying the object key, desired permissions (e.g., GET), and expiration time. 2/ Send Pre-Signed URL: The generated pre-signed URL is sent to your application outside of AWS. 3/ Access Object: The application outside of AWS uses the pre-signed URL in an HTTP GET request to access the S3 object. AWS S3 validates the URL's authenticity and permissions before granting access.
AWS Documentation has quite good details for the same . Pasting link : https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html
Relevant content
- Accepted Answerasked 3 months ago
- asked 2 years ago
- Accepted Answerasked 5 years ago
- asked 2 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
Thanks. One question, the application that uses URL can automatically generate a pre-signed URL automatically after expiration. Would you have an implementation demo so I can see how the configuration process is done?
No , the application(client) using the presigned url can't generate new url after expiry of its own. Only the application having access to S3 objects can create new url upon expiry.
pasting a golang example for presigned url generation. https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/s3-example-presigned-urls.html .
you can also use aws cli to generate presigned urls aws s3 presign s3://DOC-EXAMPLE-BUCKET1/mydoc.txt --expires-in 604800
this link gives all diff options for creation of presigned urls https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html