Creating a Pre-Signed URL
You can create a pre-signed URL to temporarily grant access to a specific Object Storage operation without sharing permanent credentials. Depending on how it is generated, a pre-signed URL can allow users to download an existing object or upload an object to a specific bucket and object key.
Any user to whom you send the pre-signed URL can perform the authorized operation for the time you specify. The user does not need their own permissions or authentication on the bucket.
You can create a pre-signed URL to:
-
Download or share an existing object.
-
Upload an object using a single
PUTrequest.
|
|
Creating a Pre-Signed URL to Upload an Object Using AWS CLI
Before you begin: Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI. |
To create a pre-signed URL, use the presign command following this syntax:
$ aws s3 presign s3://BUCKET/OBJECT \
--profile YOUR_PROFILE \
--expires-in 3600 \
--endpoint https://oos.eu-west-2.outscale.comThis command contains the following options that you need to specify:
-
(optional)
profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI. -
s3://BUCKET/OBJECT: The path to the object you want to share in its bucket. -
expires-in: The time left before the URL expires, in seconds.When using AWS CLI, the maximum duration for a pre-signed URL is 604800 seconds (1 week).
-
endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.
The presign command returns the following element:
-
URL: The URL at which your object is available.
https://oos.eu-west-2.outscale.com/BUCKET/OBJECT?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ABCDEFGHIJ0123456789%2F20101001%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20101001T123456Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCreating a Pre-Signed URL Using s3cmd
|
You can manage your object storage resources using s3cmd commands. For more information, see s3cmd. |
Tutorial: Creating and Using a Pre-Signed URL to Upload an Object
Before you begin:
|
-
If the pre-signed URL is used from a browser, configure CORS on the bucket first:
Request sample$ aws s3api put-bucket-cors \ --profile YOUR_PROFILE \ --bucket BUCKET \ --cors-configuration file://MY_CORS_CONFIG.json \ --endpoint https://oos.eu-west-2.outscale.comCORS configuration sample{ "CORSRules": [ { "AllowedHeaders": ["*"], "ExposeHeaders": ["ETag", "x-amz-meta-tag"], "AllowedMethods": ["PUT"], "MaxAgeSeconds": 3000, "AllowedOrigins": ["http://example.com"] } ] }For more information, see Applying a CORS Configuration to a Bucket.
-
Create a Python script to generate the pre-signed URL for the
PUTupload:Request sample$ vi generate_presigned_put_url.pyThis command opens a new file named
generate_presigned_put_url.pyin thevitext editor. -
Add the following content to the file:
File sampleimport boto3 s3 = boto3.client( "s3", endpoint_url="https://oos.eu-west-2.outscale.com", aws_access_key_id="ACCESS_KEY", aws_secret_access_key="SECRET_KEY" ) response = s3.generate_presigned_url( ClientMethod="put_object", Params={ "Bucket": "BUCKET", "Key": "OBJECT", "ContentType": "text/plain" }, ExpiresIn=3600 ) print(response)If you use the
vitext editor, pressito enter insert mode before pasting the sample.After pasting the sample, press
Esc, then type:wqand pressEnterto save the file and exit the text editor.The script contains the following options that you need to specify:
-
ACCESS_KEY: The access key of the account used to sign the pre-signed URL. -
SECRET_KEY: The secret key of the account used to sign the pre-signed URL. -
BUCKET: The name of the bucket to which the object is uploaded. -
OBJECT: The name of the object to be uploaded in the bucket. -
(optional)
ContentType: The content type expected in the upload request. If specified, the upload request must include the matchingContent-Typeheader. -
(optional)
ExpiresIn: The validity period of the pre-signed URL, in seconds. If not specified, boto3 will use a default value of 3600 seconds.
-
-
Generate the pre-signed URL and store it in a shell variable:
Request sample$ PRESIGNED_URL=$(python3 generate_presigned_put_url.py) -
Print the generated URL:
Request sample$ echo "$PRESIGNED_URL"The command returns a URL containing query parameters such as
X-Amz-Algorithm,X-Amz-Credential,X-Amz-Date,X-Amz-Expires,X-Amz-SignedHeaders, andX-Amz-Signature. -
Create the local file that will be uploaded as the object specified by
OBJECTin the Python script (here,uploadme.txt):Request sample$ cat > uploadme.txt <<'EOF' Test upload EOF -
Upload the object using the pre-signed URL:
Request sample$ curl -i --request PUT --upload-file uploadme.txt \ -H "Content-Type: text/plain" \ "$PRESIGNED_URL"If the upload succeeds, the command returns an HTTP
200 OKstatus code, anETagheader, and request identifiers such asx-amz-request-idandx-amz-id-2.If the header is missing or uses a different value, the signature validation fails and the upload is rejected.
-
Verify that the object was successfully uploaded:
Request sample$ aws s3api list-objects-v2 \ --profile PROFILE \ --bucket BUCKET \ --endpoint https://oos.eu-west-2.outscale.comFor more information, see Listing the Objects of a Bucket.
Related Page
AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.