What’s a presigned URL?

Suppose we want to grant temporary access to an object in an S3 bucket to someone who doesn’t have an AWS account. At the same time, we don’t want to make our object public. How can we do that?

To achieve this, we can use the feature of presigned URLs. This allows us to share objects or enable upload to an S3 bucket by users without needing credentials or permissions.

A presigned URL generates a temporary access URL that users can use to access an object or a bucket until the URL reaches its expiration time and stops working. This will be predefined by you while creating a presigned URL.

We can create a presigned URL using the AWS CLI or SDK (software development kit).

Presigned URL for sharing an object using the AWS CLI

In this example, we share an object that contains an image using a presigned URL that expires after two minutes.

Command:

aws s3 presign s3://my-pets/dingo.jpg --expires-in 120

Here, --expires-in refers to the number of seconds until the URL expires. By default, it’s set to 3,600 seconds.

The output URL looks like this:

https://my-pets.s3.us-east-1.amazonaws.com/dingo.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIARIB2FYFJOC2UGJN4%2F20211114%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211114T192827Z&X-Amz-Expires=120&X-Amz-SignedHeaders=host&X-Amz-Signature=ad7616ae186578114b288ea5cc18a85602470248097f40a84fad34eb94936cdf

According to AWS documentation, the credentials we can use to create a presigned URL include the following:

  • IAM instance profile: This is valid up to six hours.
  • AWS Security Token Service: This is valid up to 36 hours when signed with permanent credentials, such as the credentials of the AWS account root user or an IAM user.
  • IAM user: This is valid up to seven days when we use AWS Signature Version 4.

So, next time we want to share some resources temporarily, we should remember to use S3 presigned URLs.

Get hands-on with 1200+ tech skills courses.