Voiced by Amazon Polly |
Introduction
The pre-signed URL is provided by AWS to give temporary access to any object stored in the S3 (Simple Storage Service) bucket for a specific time duration or to upload the object to the S3 bucket without providing the credentials of the account. This URL is unique for each object. The default expiration time is 5 minutes and the maximum expiration time of the Presigned-url can be of 7 Days.
Objects stored in the S3 bucket are by default Private. It is good practice to keep the S3 bucket and objects private. If there is a need to allow temporary access to any object to the client, then using a pre-signed URL is a good choice.
To access the files of S3 Bucket from the AWS console there are two options:
- There is an Object URL by which the user can access the file, but the file should be open to the world (publicly accessible)
- There is an OPEN button showing when we select any object inside the S3 bucket, In the Backend, this Open button generates the pre-signed URL of the selected object and redirects the user to that URL. In this case, there is no need to make the file publicly accessible.
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
Benefits of Pre-signed URL
- We can pass only 10 MB of payload size to any API so we can use this presigned URL to upload large files (up to 5 GB) to S3 Bucket
- Secure way to share the private files stored in the S3 bucket as it is signed with an AWS access key.
- It provides restricted access as it allows only GET or PUT for a single URL.
- It is valid only for a specific time interval (till the expiration time).
- Each object has a different presigned URL.
Types of Pre-signed URL
- Get – Get pre-signed URL is used to get temporary access to the files stored in S3 Bucket. To get the pre-signed URL of any object select the object, then click on the “ACTIONS” menu and choose “Share with a pre-signed URL”, then a pop-up comes up and asks for the expiration time of the Presigned-url, then click on “Create Presigned URL”.
- Put – Put pre-signed URL is used to upload the files in S3 Bucket without having the security credential of the AWS account. To generate the pre-signed URL to upload an object there is a Boto3 API that can be used in Python code where we need to pass the Bucket name, Object name, and Expiration time.
- Post – The POST Presigned, like PUT allows you to add content to an S3 bucket. The POST Presigned URL takes a lot more parameters than the PUT Presigned URL and is slightly more complex to incorporate into your application. It allows you to upload to S3 directly using an HTML form.
Implementation
- To generate GET pre-signed URL
1 2 3 4 5 6 7 |
s3_client=boto3.client('s3') presigned_url = s3_client.generate_presigned_url ( ClientMethod='get_object', Params= {'Bucket': 'bucket_name','Key': 'object_path'}, ExpiresIn ='time_in_seconds' ) |
2. To generate a PUT pre-signed URL
1 2 3 4 5 6 7 |
s3_client=boto3.client('s3') presigned_url = s3_client.generate_presigned_url ( ClientMethod='put_object', Params= {'Bucket': 'bucket_name', 'Key': 'object_path'} ExpiresIn ='time_in_seconds' ) |
A presigned URL contains the following data: –
S3 object URL + X-Amz-Security-Token +Amz-Algorithm + X-Amz-Date + X-Amz-SignedHeaders + X-Amz-Expires + X-Amz-Credential + X-Amz-Signature
Data Flow Diagram
The first user hits the API with the payload (Bucket Name, Object Key, and Method) then the API forward the request to the lambda function then the function performs the operation which is written in code and return the presigned URL to the user. If there is a GET URL then the user can hit that to access the object or if the PUT URL then the user can pass the binary data to upload the files.
Conclusion
To give temporary access to any files stored in the S3 Bucket or to give temporary access to upload in any Bucket, using the presigned URL is a more secure way. For sharing sensitive files which are stored in S3 Bucket, always we should use a presigned URL.
A presigned URL gives you access to the object identified in the URL only if the creator of the presigned URL has permission to access that object. That is, if you receive a presigned URL to upload an object, you can upload the object only if the creator of the presigned URL has the necessary permissions to upload that object.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. Do we require AWS account credentials to access the presigned URL?
ANS: – No, anyone can access the presigned URL without any credentials.
2. Can IAM user create S3 presigned URL?
ANS: – If the IAM user has access of S3 objects, then user can generate the presigned URL.

WRITTEN BY Rohit Lovanshi
Rohit Lovanshi works as a Research Associate (Infra, Migration, and Security Team) at CloudThat. He is AWS Developer Associate certified. He has a positive attitude and works effectively in a team. He loves learning about new technology and trying out different approaches to problem-solving.
Comments