How to create presigned URLs for objects in a private AWS S3 bucket using AWS CLI

Photo by Scott Graham on Unsplash

The purpose of this document is to go through the steps to create a presigned URL for an s3 object using AWS CLI

Quick Fact

• “If you are using presigned URLs, you don’t need to make the bucket public, and in fact, it may be better not to.” — AWS Support

Background

• Amazon Web Services Simple Storage Service (AWS S3) is one of AWS’s services where you can store any object (file) for cheap.
• When you are able to store large amounts of data and any data, a business use case may raise to allow external access to certain data for a period of time.

Use Cases

• Example #1 — When your amazon package arrives, you receive a picture as proof. They can be using s3 to store these pictures and have these pictures expire after a certain time if they wanted to
• Example #2 — If you are a business that deals with customer data and the customer wanted a custom range of data. You can use some ETL process to extract it into an object and upload it to s3. You can then share a link with your customer to this object.

Pre-requisites

• Console and CLI Access to an existing AWS Account
• Permissions to S3 service

Disclaimer

The following steps are for demo purposes —may not be recommended for production use

1. Go to the AWS S3 service and create a bucket

A bucket can be a container of objects. As in the PC world, a folder is a container of files. 

2. Follow this configuration

Bucket Name: Name something unique to you and fits your purpose

AWS Region: Your preference, also may depend on which region your applications are stored

Copy Settings from the existing bucket: Leave it blank

Object Ownership: Keep it default setting unless otherwise

Block Public Access settings: Block all public access (all four sub-bullets should be grayed out)

Bucket Versioning: Keep it default setting unless otherwise.

Bucket Versioning allows you keep track of multiple versions of the same object. There can be instances where you may upload the same object, if this setting is turned on - it will be uploaded as a new version everytime. You then would be able to view and retrieve any version at a later point.

Tags: Add tags that make sense to you and your company. A template of tags is preferred for all your resources.

Default Encryption: Click on Enable and choose your encryption type. Common choice — Amazon S3-managed keys (SSE-S3)

Advanced Settings: Keep its default setting unless otherwise.

3. Click on Create Bucket

4. Verify that your object has been created

5. Drag and drop a random object from your local computer to your bucket and click on upload.

6. After the object is uploaded, its time to create a presigned URL link for the object so you can share this file with others

7. Assuming that you have configured your AWS CLI to the right account that has the AWS S3 bucket you created. Execute the following command

aws s3 presign --endpoint-url https://s3.{region}.amazonaws.com s3://{bucketname}/{object} --region {region} --expires-in {seconds}

The command I executed

aws s3 presign --endpoint-url https://s3.us-east-1.amazonaws.com s3://sai-pre-signed-url-test/Dance.mov --region us-east-1 --expires-in 86400

8. Output should be similar to this

9. Copy the output from the command line and paste it into your browser (starting with https://s3.us-east-1). This link will expire based on the time you set. The object — however, will not be deleted.

Resources

• AWS S3 presign CLI Reference
• S3 Security best practices
• AWS Sharing objects using presigned URLS

Next Steps

• You may want to use lifecycle policies to delete objects
• Use best practices to secure the bucket access — look into bucket policies
• There may be third-party tools to shorten your S3 presigned link