1. Introduction
By default, all objects are private – meaning that only the bucket account owner has access to the object. If you want the user to be able to access a particular bucket or object without publicizing them you can provide the user with the appropriate permissions to use the IAM policy. In addition to allowing access using IAM policy you can also create a presigned URL – that is, the user can interact with the object without AWS credentials or IAM permissions.
What are Presigned URLs?
A presigned URLs are a URl that you can give your users temporary access to a specific s3 object. Using the URL a user can read or write an object. The URL contains the specific parammeters set by your application. A presigned URLs use 3 parameters to limit a user’s access
Bucket: The Bucket that we want to upload an object to
Key: The name of the object
expires: URL expiration time. The user cannot interact with the object when the URL has expired
AWS for accessing the object through this qna presigned URL URl is signed by the S3 bucket owner.
Any valid pre-signed URl can interact with the specified object during creation. For example, if the GET (READ) pre-signed URL, the user cannot PUT (write) the object on s3
The URL itself is a structure that uses different parameters and is automatically generated through the AWS JS SDK. Include :
- X-AMZ-Algorithm
- X-AMZ-Credential
- X-AMZ-Date
- X-AMZ-Expires
- X-AMZ-Signature
- X-AMZ-SignedHeaders
1 2 | https://presignedurldemo.s3.eu-west-2.amazonaws.com/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJJWZ7B6WCRGMKFGQ%2F20180210%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20180210T171315Z&X-Amz-Expires=1800&X-Amz-Signature=12b74b0788aa036bc7c3d03b3f20c61f1f91cc9ad8873e3314255dc479a25351&X-Amz-SignedHeaders=host |
The presigned URL example above can be used to GET objects. Presign URl has a maximum expires of 7 days
2. How do I create a presigned URL?
First we need to create an IAM user that can access READ and Write object to s3. An API key is created for the IAM user. It will be stored as an environment variable on the server.
- Go to s3 and create a bucket. The bucket name must be unique.
- Go to IAM
- Create a user with Programmatic access
- Click NEXT: Permissions
- Click Attach existing policies directly and Create policy
- Use sdungj visual editor to select s3 Service. We only need a few access requests. So let’s expand the access level groups
- Make sure GetObject for READ and PutOject for WRITE are ticked
- The set resources you want for the phpes to access are specifically the bucket name you created earlier and any object names.
- We do not specify any conditional requirements
- Click Review Policy and enter a name for the policy and save
- Apply a new policy to the new user you have created, and note the credentials credentials
Generate preSigned URLs using the AWS JS SDK
Below are two methods to generate GET URL and PUT URL using AWS s3 class
3. Use presigned URLs
Using GET URL is easy to use in any browser. To use PUT URL you can use POSTMAN
After upload:
- Disadvantages of presigned URLs Currently, presigned URLs do not support file upload size limits. The PUT Presigned URl is limited to 5GB files. Using POST provides more flexibility when implementing file upload. An object can be uploaded using the multipart upload API and the size limit is 5TB.
4. Presigned POST URLS POST presigned like PUT allows you to add an object to the s3 bucket. The POST presinged URL has more parameters than the PUT presinged. It can limit file upload size and it allows upload directly to s3 using HTML form.
5. POST URL Parameters
Details you can refer to: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html
Bucket: process.env.S3_BUCKET (bucket name)
Expires: 1800 (Time to expire)
key: ‘image.jpg’ (Filename)
{acl: ‘private’} (It determines which AWS account or group is granted access and what type of access)
success_action_status: “201” Http status code will be returned if the upload is successful
[‘starts-with’, ‘$ key’, ”] (Value must start with the specified value)
[‘content-length-range’, 0, 100000] Specifies the size of the file to be uploaded
{‘x-amz-algorithm’: ‘AWS4-HMAC-SHA256’}: Specifies the signing algorithm used in signature computation
6. References
Article translated from https://medium.com/@aidan.hallett/securing-aws-s3-uploads-using-presigned-urls-aa821c13ae8d
You can refer to: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html
Thank you for reading the article!