Mastering S3 Presigned URLs: A Secure Way to Share Objects

Published July 30, 2024 · by Eric Wilson · in aws

Learn how to securely grant temporary access to private S3 objects by generating presigned URLs for both uploading and downloading files using Python and Boto3.

By default, all objects in an Amazon S3 bucket are private. This is a critical security feature, but it raises a common question: how do you allow a user to temporarily access a private object without making the object public or managing complex IAM user policies?

The answer is S3 Presigned URLs.

A presigned URL is a URL that you generate using your AWS credentials. It grants temporary access to a specific S3 object for a limited time. Anyone who has the URL can access the object with the permissions of the user who generated it, but only until it expires.

This is the standard, secure way to handle user-specific uploads and downloads.

Use Case 1: Generating a Presigned URL for Downloading

Imagine you have a web application where users can download invoices that are stored as private objects in S3. You don't want to make all invoices public. Instead, when a user clicks "Download," your backend generates a presigned URL for their specific invoice.

Here's how to do it in Python with Boto3:

import boto3
from botocore.exceptions import ClientError

# It's a good practice to create the client once
s3_client = boto3.client('s3')

def generate_download_url(bucket_name, object_key, expiration_seconds=3600):
    """
    Generates a presigned URL to download a private S3 object.

    :param bucket_name: The name of the S3 bucket.
    :param object_key: The key of the object to download.
    :param expiration_seconds: The time in seconds for the URL to remain valid.
    :return: The presigned URL as a string. If error, returns None.
    """
    try:
        response = s3_client.generate_presigned_url(
            'get_object',
            Params={'Bucket': bucket_name, 'Key': object_key},
            ExpiresIn=expiration_seconds
        )
        return response
    except ClientError as e:
        print(f"Error generating download URL: {e}")
        return None

# --- Example Usage ---
BUCKET = 'my-private-invoices-bucket'
OBJECT_KEY = 'invoices/user-123/invoice-2024-07.pdf'

# Generate a URL that is valid for 10 minutes (600 seconds)
download_url = generate_download_url(BUCKET, OBJECT_KEY, 600)

if download_url:
    print(f"Here is your secure download link: {download_url}")

Your application would then provide this URL to the user, who can click it to download the file directly from S3. After 10 minutes, the link will expire.

Use Case 2: Generating a Presigned URL for Uploading

Presigned URLs are even more powerful for uploads. They allow you to upload a file directly from a client (like a web browser) to S3, bypassing your backend server entirely. This is incredibly scalable, as your server doesn't have to handle the file data itself.

Use Case: A user wants to upload a new profile picture.

  1. The user's browser tells your backend, "I want to upload a file named avatar.jpg."
  2. Your backend generates a presigned URL for a PUT operation on a specific key in S3.
  3. The backend returns this URL to the browser.
  4. The browser then makes a PUT request directly to the presigned URL with the image data as the request body.

Python code to generate the upload URL:

def generate_upload_url(bucket_name, object_key, expiration_seconds=3600):
    """
    Generates a presigned URL to upload an object to S3.

    :return: A dictionary containing the presigned URL and the required fields.
    """
    try:
        response = s3_client.generate_presigned_post(
            Bucket=bucket_name,
            Key=object_key,
            ExpiresIn=expiration_seconds
        )
        return response
    except ClientError as e:
        print(f"Error generating upload URL: {e}")
        return None

# --- Example Usage ---
UPLOAD_BUCKET = 'my-user-uploads-bucket'
# It's a good practice to use a unique key, e.g., using a UUID
UPLOAD_OBJECT_KEY = 'avatars/user-123/new-avatar.jpg'

upload_details = generate_upload_url(UPLOAD_BUCKET, UPLOAD_OBJECT_KEY)

if upload_details:
    # This dictionary contains the URL and the form fields the client must include
    print(f"Upload details: {upload_details}")

When using generate_presigned_post, the client must make a POST request with the file data and the fields returned in the upload_details dictionary as a multipart/form-data payload. This is slightly more complex on the client-side but is the most robust method for browser-based uploads.

Security Best Practices

  • Least Privilege: The IAM user or role that generates the presigned URL should have the minimum necessary permissions (e.g., only s3:GetObject for downloads or s3:PutObject for uploads on a specific bucket).
  • Short Expiration: Keep the expiration time as short as is practical for your use case. For a download, a few minutes is often sufficient.
  • Protect the URL: Treat the presigned URL like a temporary password. It should only be accessible to the intended user.

Conclusion

S3 presigned URLs are an essential tool for any developer working with AWS. They provide a secure, scalable, and straightforward way to manage access to private S3 objects without the overhead of complex IAM policies or passing large files through your backend servers. By mastering both download and upload URLs, you can build more efficient and secure cloud applications.

Back to All Blogs