Handling Pre-signed URLs with S3
Things you need to remember
In theory, if you want a user to have access to a specific bucket or object without making them public, you can follow one of the methods to do so.
- Providing the user with the appropriate permissions using an IAM policy
- Creating a pre-signed URL
In this blog, we will concentrate on the S3 pre-signed URLs and its usage.
- By definition, pre-signed URLs can be used to provide temporary access to a specific object to those who do not have AWS credentials.
- Expiration date and time duration must be configured while generating it.
- Pre-signed URL can only be used to LIST and PUT operations. The rest of the operations are not supported.
Practicals — Creating a pre-signed S3 URL
Step 1: Create a S3 bucket and upload an object / file into it. No need to do change any default settings here.
Step 2: Open the CloudShell on your AWS console (I assume that you use AWS Admin user account here)
When you use CloudShell, you use the user identity credentials that you have currently logged in. For example, if you have logged in as an AWS Admin user, CloudShell will work as a user with Admin user privileges.
Step 3: Enter the following command on the CloudShell
$ aws s3 presign s3://<bucket-name>/<file-name>.jpg
P.Note: You may get the S3 object URI from the console after selecting the object you want to give access.
Step 4: You may open a new browser tab and copy-paste the above long URL to see the object being shown on it.
Practicals — Revoking permissions of the pre-signed URL
As explained above, the user who created the pre-signed URL had the IAM Admin rights. Pre-signed URLs always checks the permissions of the user, which it was created.
Step 1: Limit the S3 privileges by adding an IAM in-line policy to the IAM Admin user. You may copy paste the following JSON to the in-line policy.
Step 2: Generate a pre-signed URL after limiting the s3 Full access in Step 2. You can see, even after revoking the S3 access to the user account, it allows you to generate the pre-signed URL. (See figure 04)
However, the generate URL will not give you the ability to view the S3 image (See figure 05). This is mainly because the S3 Full Access permissions have been restricted at the IAM policy level for this Admin user.
You may remove the IAM in-line policy, which was there to deny S3 full access and see whether you can generate the pre-signed URL again. Theoretically you should be able to.
Thank You!