Presigned URL

cegedim.cloud Object Storage Service support presigned URLs to grant access to objects without needing credentials.

Presigned URLs are used to provide short-term access to a private object in your S3 bucket. They work by appending an Access_Key, expiration time, and Sigv4 signature as query parameters to the S3 object.

Also, presigned URLs allow you to grant someone right to upload a specific object in your Bucket.

There are two common use cases when you may want to use them:

Simple, occasional sharing of private files
Frequent, programmatic access to view an object in an application
Frequent, programmatic access to upload an object through an application

Generating a Presigned URL (download)

We use aws s3 and aws s3api command line tools from AWSCLIv2 on Linux.

${S3_ENDPOINT} & ${S3_PROFILE} are environment variables.

aws s3 --endpoint-url=${S3_ENDPOINT} presign s3://bucket-test/feather.ttf --expires-in 600 --profile ${S3_PROFILE}

Output

https://storage-eb4.cegedim.cloud/bucket-test/feather.ttf?AWSAccessKeyId=fzs37xbv5615hygx2wkm&Signature=S4jFPas53s8cnwdDieMHrhc0ddE%3D&Expires=1666821099

In this example, the generated URL have an expiration of 10 minutes. After this time, the object will no longer be accessible.

--expires-in (integer) Number of seconds until the presigned URL expires. Default value is 3600 seconds.

The maximum expiration time is 7 Days.

Generating a Presigned URL (upload)

If an object with the same key already exists in the bucket as specified in the presigned URL, the existing object will be overridden.

aws s3 and aws s3api don't support upload presigned url generation.

You need to use AWS SDK to create Presigned Url for Upload.

Upload Presigned URL work only with path style addressing.

Replace aws_access_key_id and aws_secret_access_key by our own credentials.

ExpiresIn (integer): Number of seconds until the presigned URL expires. Default value is 3600 seconds. The maximum expiration time is 7 Days.

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import boto3
from botocore.client import Config
s3 = boto3.client('s3')
s3 = boto3.client(
    's3',
    aws_access_key_id='xxxxx',
    aws_secret_access_key='xxxxx',
    config=Config(s3={'addressing_style': 'path'}),
    endpoint_url='https://storage-eb4.cegedim.cloud'
)
bucket = "bucket-test"
key = "feather.ttf"

print(s3.generate_presigned_url('put_object', Params={'Bucket':bucket,'Key':key}, ExpiresIn=300, HttpMethod='PUT'))

# Output

# Run Python script
./create_presign_url_upload.py

#Ouput
https://storage-eb4.cegedim.cloud/bucket-test/feather.ttf?AWSAccessKeyId=fzs37xbv5615hygx2wkm&Signature=NI%2BvoHYhWEFPDR04ioeFfBz5fks%3D&Expires=1712056959

You can use tool like curl to upload your object to your bucket, using the URL generated previously:

curl --request PUT --upload-file feather.ttf 'https://storage-eb4.cegedim.cloud/bucket-test/feather.ttf?AWSAccessKeyId=fzs37xbv5615hygx2wkm&Signature=NI%2BvoHYhWEFPDR04ioeFfBz5fks%3D&Expires=1712056959'

PreviousLimitation and Best Practices NextBucket Policies

Last updated 11 months ago

Generating a Presigned URL (download)

We use aws s3 and aws s3api command line tools from AWSCLIv2 on Linux.

${S3_ENDPOINT} & ${S3_PROFILE} are environment variables.

aws s3 --endpoint-url=${S3_ENDPOINT} presign s3://bucket-test/feather.ttf --expires-in 600 --profile ${S3_PROFILE}

Output

https://storage-eb4.cegedim.cloud/bucket-test/feather.ttf?AWSAccessKeyId=fzs37xbv5615hygx2wkm&Signature=S4jFPas53s8cnwdDieMHrhc0ddE%3D&Expires=1666821099

In this example, the generated URL have an expiration of 10 minutes. After this time, the object will no longer be accessible.

--expires-in (integer) Number of seconds until the presigned URL expires. Default value is 3600 seconds.

The maximum expiration time is 7 Days.

Generating a Presigned URL (upload)

If an object with the same key already exists in the bucket as specified in the presigned URL, the existing object will be overridden.

aws s3 and aws s3api don't support upload presigned url generation.

You need to use AWS SDK to create Presigned Url for Upload.

Below, a simple example using [AWS SDK for Python (Boto3)]()

Upload Presigned URL work only with path style addressing.

Replace aws_access_key_id and aws_secret_access_key by our own credentials.

ExpiresIn (integer): Number of seconds until the presigned URL expires. Default value is 3600 seconds. The maximum expiration time is 7 Days.

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import boto3
from botocore.client import Config
s3 = boto3.client('s3')
s3 = boto3.client(
    's3',
    aws_access_key_id='xxxxx',
    aws_secret_access_key='xxxxx',
    config=Config(s3={'addressing_style': 'path'}),
    endpoint_url='https://storage-eb4.cegedim.cloud'
)
bucket = "bucket-test"
key = "feather.ttf"

print(s3.generate_presigned_url('put_object', Params={'Bucket':bucket,'Key':key}, ExpiresIn=300, HttpMethod='PUT'))

# Output

# Run Python script
./create_presign_url_upload.py

#Ouput
https://storage-eb4.cegedim.cloud/bucket-test/feather.ttf?AWSAccessKeyId=fzs37xbv5615hygx2wkm&Signature=NI%2BvoHYhWEFPDR04ioeFfBz5fks%3D&Expires=1712056959

You can use tool like curl to upload your object to your bucket, using the URL generated previously:

curl --request PUT --upload-file feather.ttf 'https://storage-eb4.cegedim.cloud/bucket-test/feather.ttf?AWSAccessKeyId=fzs37xbv5615hygx2wkm&Signature=NI%2BvoHYhWEFPDR04ioeFfBz5fks%3D&Expires=1712056959'