Using AWS CLI to Generate Pre-signed URLs for Amazon S3 Objects (with examples)
When working with Amazon S3, there may be cases where you want to share access to specific objects stored within your buckets, without making them publicly accessible. That’s where the aws s3 presign command comes in handy. This command allows you to generate pre-signed URLs, which are time-limited URLs that grant temporary access to the specified S3 objects.
In this article, we will explore 8 different use cases of the aws s3 presign command, providing code examples and explanations for each case.
Use Case 1: Generating a Pre-signed URL for a Specific S3 Object (Valid for One Hour)
To generate a pre-signed URL for a specific S3 object that is valid for one hour, you can use the following code:
aws s3 presign s3://bucket_name/path/to/file
Motivation: This use case is helpful when you want to share temporary access to a specific file in your S3 bucket. By generating a pre-signed URL that expires within one hour, you can provide secure and time-limited access to the file.
Arguments:
s3://bucket_name/path/to/file: Specifies the S3 object you want to generate a pre-signed URL for, wherebucket_nameis the name of your bucket, andpath/to/filerepresents the path to the desired file within the bucket.
Example Output:
https://s3.amazonaws.com/bucket_name/path/to/file?X-Amz-Algorithm=AWS4-HMAC-SHA256...
Use Case 2: Generating a Pre-signed URL with a Specific Lifetime
To generate a pre-signed URL that is valid for a specific lifetime, you can use the --expires-in argument. Here’s an example:
aws s3 presign s3://bucket_name/path/to/file --expires-in duration_in_seconds
Motivation: Sometimes, you may want to customize the expiration time for a pre-signed URL. This can be useful for scenarios where you want to control the duration of access to the object.
Arguments:
--expires-in duration_in_seconds: Specifies the duration, in seconds, for which the pre-signed URL will be valid.
Example Output:
https://s3.amazonaws.com/bucket_name/path/to/file?X-Amz-Algorithm=AWS4-HMAC-SHA256...
Use Case 3: Displaying Help for the aws s3 presign Command
To display help and get more information about the aws s3 presign command, you can use the following code:
aws s3 presign help
Motivation: When you’re new to the aws s3 presign command or need a quick reminder of its usage and available options, running this command will provide you with the necessary information.
Example Output:
[Displays help information for the command]
In the next sections, we will explore an additional 5 use cases of the aws s3 presign command.
Use Case 4: Generating a Pre-signed URL with Specific HTTP Headers
When generating a pre-signed URL, you may need to include specific HTTP headers for fine-grained control over the access permissions. You can achieve this by utilizing the --response-content-* arguments. For example:
aws s3 presign s3://bucket_name/path/to/file --response-content-type content_type
Motivation: Including specific HTTP headers can be necessary for scenarios where you want to control how the pre-signed URL can be used. For instance, setting the response-content-type header ensures that the object is served with the specified content type.
Arguments:
--response-content-type content_type: Specifies the content type of the object to be served.
Example Output:
https://s3.amazonaws.com/bucket_name/path/to/file?X-Amz-Algorithm=AWS4-HMAC-SHA256...
Use Case 5: Generating a Pre-signed URL for a Versioned Object
If you are working with versioned objects in S3, you can generate a pre-signed URL for a specific version by appending the version ID to the object path. Here’s an example:
aws s3 presign s3://bucket_name/path/to/file?versionId=version_id
Motivation: Versioning allows you to store multiple versions of an object in the same bucket. Generating a pre-signed URL for a specific version can be useful when you want to share access to a particular version of an object.
Arguments:
s3://bucket_name/path/to/file?versionId=version_id: Specifies the versioned object you want to generate a pre-signed URL for, whereversion_idis the unique identifier for the desired version.
Example Output:
https://s3.amazonaws.com/bucket_name/path/to/file?versionId=version_id&X-Amz-Algorithm=AWS4-HMAC-SHA256...
Use Case 6: Generating a Pre-signed URL with Additional Query String Parameters
The aws s3 presign command allows you to include additional query string parameters in the pre-signed URL. This can be achieved by providing the desired parameters using the --response-.* or --query-.* arguments. Here’s an example:
aws s3 presign s3://bucket_name/path/to/file --query-param param_name=param_value
Motivation: Including additional query string parameters can provide extra context or control when accessing the object through the pre-signed URL. This can be helpful for scenarios where you require specific behavior or information.
Arguments:
--query-param param_name=param_value: Specifies a query string parameter to be added to the pre-signed URL, whereparam_nameis the name of the parameter andparam_valueis the desired value.
Example Output:
https://s3.amazonaws.com/bucket_name/path/to/file?X-Amz-Algorithm=AWS4-HMAC-SHA256¶m_name=param_value...
Use Case 7: Generating a Pre-signed URL for a Virtual Hosted-style Access Endpoint
By default, the pre-signed URLs generated by the aws s3 presign command use the path-style access format. If your S3 bucket is configured for virtual hosted-style access, you can generate a pre-signed URL that uses the virtual hosted-style format by utilizing the --endpoint-url argument. Here’s an example:
aws s3 presign s3://bucket_name/path/to/file --endpoint-url custom_endpoint_url
Motivation: When hosting static websites on S3 or using a custom DNS provider with virtual hosted-style access, generating pre-signed URLs with the virtual hosted-style format is necessary to ensure proper access.
Arguments:
--endpoint-url custom_endpoint_url: Specifies the custom endpoint URL to use when generating the pre-signed URL.
Example Output:
https://custom_endpoint_url/bucket_name/path/to/file?X-Amz-Algorithm=AWS4-HMAC-SHA256...
Use Case 8: Generating a Pre-signed URL for SSE-KMS Encrypted Objects
When generating pre-signed URLs for S3 objects encrypted using Server-Side Encryption with AWS Key Management Service (SSE-KMS), you need to provide the ARN of the AWS KMS key used for encryption. You can accomplish this by using the --sse-kms-key-id argument. Here’s an example:
aws s3 presign s3://bucket_name/path/to/file --sse-kms-key-id kms_key_arn
Motivation: SSE-KMS provides an additional level of security for your S3 objects by encrypting them using AWS KMS. When generating pre-signed URLs for encrypted objects, specifying the correct KMS key ARN ensures that the URL can be properly validated.
Arguments:
--sse-kms-key-id kms_key_arn: Specifies the ARN of the KMS key used to encrypt the S3 object.
Example Output:
https://s3.amazonaws.com/bucket_name/path/to/file?X-Amz-Algorithm=AWS4-HMAC-SHA256...
Conclusion
In this article, we explored 8 different use cases of the aws s3 presign command. We learned how to generate pre-signed URLs for S3 objects, customize their expiration time, include specific HTTP headers, handle versioned objects, incorporate additional query string parameters, utilize virtual-hosted style access endpoints, and support SSE-KMS encrypted objects. By understanding and leveraging these use cases, you can securely share temporary access to specific S3 objects while maintaining control over their availability.
