How to create Amazon S3 Pre-signed URL with an expiration
I’m been working with AWS for 8+ years now and this is the first time I’ve come across the need to use pre-sign URL’s for sharing files. The first thing I did was hit up a colleague and he sent me a CLI command for it. I thought, sweet, this should be easy. But before I jump to the CLI, I thought why can’t I go into the console and click a button for a PreSigned URL.
As it turns out the feature is only available using the CLI or API. I think I might have to request the feature request.
Next, I searched for documentation and when I mean I searched, I Googled it. I think the first page didn’t contain a “how to” but I did come across the AWS Documentation.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
The last one is what I wanted, “Using AWS CLI”.
Ok, so the documentation seemed straight forward.
Let me document the process but I’ll also follow up with a video.
- Open up a terminal
- Type: aws configure (to make sure you have access/secret key configured, if not, don’t worry we will go through the process)
- Type: aws s3 presign s3://<insert bucket>/<insert file name> –expires-in 604800
How much time is 604800? one week. If you want something shorter…. use a calculator or google it.
Hint: Remove spaces from the file name to make it easier
The output you received will look something like this:
Awesome. Now share this out with everyone and you’re all set. But wait, is that MY Access Key in the URL. ah, personally I’m not comfortable giving out a URL with my Access Key tied to it. Now what?
Easy, create an IAM user with Read-Only programmatic access to S3.
Those steps are:
- Open the AWS Console
- Click IAM
- Add User, Add a Name
- Click Programmatic Acces
- Click Next: Permissions
- Click Attach existing policies directly
- Search for S3
- Select AmazonS3ReadOnlyAccess
- Click Next for Tags
- Enter some tagging info
- Click Next: Review
- Click Create User
- Download the CSV file
Now that you have a new user, I like to configure my CLI with multiple profiles which helps me call specific accounts without having to reconfigure my terminal.
How to configure the CLI with multiple profiles
Steps:
- Open a terminal
- Type: aws configure –profile <insert profile name>
- Enter Access Key
- Enter Secret Key
- Enter a region
- Enter output (I typically pick json but it’s your choice)
- Done
Now we can repeat the steps above using a presigned URL with a read-only user’s access key but using the profile argument.
Example: aws s3 presign s3://<insert bucket>/<insert file name> –expires-in 604800 –profile s3user
Copy the output and send the output.
It took me about 10 minutes to figure it out and ultimately I found my next post.
Check out my video and let me know what you think.