Skip to content

Presigned URLs

Estimated time to read: 2 minutes

Presigned URLs are a secure and convenient way to grant temporary access to objects stored in your object storage. Using presigned URLs, you can allow users to upload or download objects without exposing your credentials or giving permanent access to your object storage.

These URLs are valid for a specific time period, after which they expire. This feature is useful when you need to share objects temporarily with others or allow them to upload content without the need for full access credentials.

Key features of Presigned URLs

Presigned URLs allow you to securely provide access to an object without needing to expose your full credentials. The URL is generated with specific permissions (e.g., read, write) for a particular object and includes an expiration time. Once the URL expires, access is no longer possible.

Key Benefits:

  • Temporary Access: You can specify how long the URL will remain valid.
  • No Need for Credentials: Users can perform operations without needing AWS credentials.
  • Easy Sharing: You can share the URL with others to provide access to private objects.
Feature With Presigned URL Without Presigned URL
Temporary Access Allows access for a specified duration. No temporary access; full permissions required.
Access Control Fine-grained control over who can access specific objects. Less control over object access.
Security URLs can be one-time use or restricted by IP. All access requires permanent credentials.

How to Create a Presigned URL

To generate a presigned URL for an object, you can use the following command in your AWS CLI:

aws s3 presign s3://<bucket_name>/<object_name> --expires-in <seconds>

import boto3
from botocore.exceptions import NoCredentialsError

def generate_presigned_url(bucket_name, object_key, expiration=3600):
    """
    Generate a presigned URL to share an S3 object.

    :param bucket_name: string
    :param object_key: string
    :param expiration: Time in seconds for the presigned URL to remain valid
    :return: Presigned URL as string if successful, else None
    """
    # Create an S3 client
    s3_client = boto3.client('s3')

    try:
        # Generate a presigned URL to get the object
        return s3_client.generate_presigned_url(
            'get_object',
            Params={'Bucket': bucket_name, 'Key': object_key},
            ExpiresIn=expiration
        )
    except NoCredentialsError:
        print("Credentials not available")
        return None
    except Exception as e:
        print(f"Error generating presigned URL: {e}")
        return None

bucket_name = '<bucket_name>'
object_key = '<object_name>'
presigned_url = generate_presigned_url(bucket_name, object_key)

if presigned_url:
    print(f"Presigned URL: {presigned_url}")

This command will generate a URL that can be used to download object_name from bucket_name for hour.

Expiration and Revocation

  • Expiration: Once the presigned URL expires, it cannot be used to access the object anymore. You can set the expiration time when generating the URL.

  • Revocation: While there’s no built-in method to revoke a presigned URL before it expires, you can manage access by changing the object’s permissions or deleting the object from the storage. If you need to prevent further access, you can delete or restrict access to the object manually.