Open in app

Sign up

Sign in

Write

Sign up

Sign in

What is AWS S3 Pre-Signed URL

How to Share Your S3 Bucket Data Securely.

Chameera Dulanga
Enlear Academy

--

AWS S3 buckets are one of the most used storage services in the world. Developers use it to upload images, audio, and various files and use them in their web applications.

Most developers make these bucket contents publicly available by using a bucket policy. However, this approach is not recommended by AWS due to security reasons.

So, how can we securely share the content with others who don't have access to our S3 buckets?

S3 pre-signed URLs are the most recommended way to share your S3 bucket contents, and this article will discuss all the things you need to know about S3 pre-signed URLs, including a demonstration.

First, Let’s Get to Know Pre-Signed URLs

A pre-signed URL is a URL that allows you to give temporary access to S3 Objects.

With these URLs, you can limit the permissions, operations, and expiration time easily.

  • Permission: A pre-signed has the permission of its creator. The creator can be an IAM user or an AWS Service, and the URL will automatically get all the permissions that the user or service has over the S3 bucket.
  • Operations: When you create the URL, you can define the operations as read, write or update. This allows you to limit read and write access to relevant users.
  • Expiration Time: Like operations, you can define the expiration time of the URL when you create it. But, if creators' credentials are expired before the URL expiration time, the URL will also be expired automatically.
  • Resources: You can specify the bucket name when you create the URL.

Since now you have an understanding of pre-signed URLs, let's see how we can create one.

How to Create a Pre-Signed URL Using AWS JS SDK

There are many methods to generate pre-signed URLs. But, today, I will be focusing on AWS JS SDK.

AWS-SDK for JS is one of the most popular NPM libraries used by web developers at the moment and it has more than 7 million weekly downloads.

You can easily download it using npm i aws-sdk command, and it supports major frontend development frameworks like Angular and React. For this example, I will use a React application.

Before getting into URL generation, You need to create an IAM user profile and S3 bucket.

Step 1: Creating an IAM User

This is a very straightforward process. You can search IAM from the service list in your AWS account dashboard, and it will display a window like below where you need to enter a user name and access type.

Creating an IAM User

You can give any username you prefer, But make sure that you tick the Programmatic access as the Access type.

In the next window, you will be asked to set permissions. There, click the Attach existing policies directly box choose the Create policy option.

It will open another new tab, and you will be asked to select Service, Actions, Resources, and Request Conditions.

I’ve selected S3 as the service and only added 2 actions for this example: GetObject and PutObject. Then you can specify an S3 bucket as the resource or give access to all buckets. (I won't be adding any request conditions here).

Then you need to save the policy and select that policy for the IAM user you created. In the end, you will be given an Access key ID and a secret access key for the IAM user. Keep them saved for future use.

Step 2: Install AWS-SDK and Generate a pre-signed URL

Now you can install AWS_SDK to your project using npm i aws-sdk command and generate your pre-signed URLs.

You can either import the whole SDK or import the individual services you need.

// import entire SDK
var AWS = require('aws-sdk');

// import individual service
var S3 = require('aws-sdk/clients/s3');

Then you need to use the IAM user credentials you got in the previous example.

Do not use AWS credentials directly in your code.

In my application, I have used environmental variables to maintain credentials, and my final code will look like this:

var AWS = require(‘aws-sdk’);var credentials = { 
  accessKeyId: process.env.S3_ACCESS_KEY, 
  secretAccessKey : process.env.S3_SECRET_KEY
};AWS.config.update({credentials: credentials, region: ‘eu-west-2’});var s3 = new AWS.S3(); var presignedURL = s3.getSignedUrl(
  ‘getObject’, 
  { 
    Bucket: ‘pre-signed-url-example’, 
    Key: ‘react-logo.jpg’, 
    Expires: 3600 
  }
);

The above code will generate a pre-signed URL to read the react-logo.jpg file from the pre-signed-url-example bucket which will last 3600 seconds.

If you want to give write access, you just need to change getObject to putObject.

That’s it, you have created a pre-signed URL for your application within a few minutes. So, don't forget to use this approach when you use an S3 bucket in your next web application to ensure the security of bucket content.

Thank you for reading!

AWS
Web Development
Security
Cloud Computing
DevOps

--

--

Chameera Dulanga
Enlear Academy
Follow

Written by Chameera Dulanga

5.7K Followers
Editor for

Software Engineer | AWS Community Builder (x2) | Content Manager

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams