presigned url что это
Подписанные URL
Предварительно подписанный URL-адрес предоставляет доступ к объекту, указанному в URL-адресе, при условии, что создатель предварительно подписанного URL-адреса имеет разрешения на доступ к этому объекту.
Предварительно подписанные URL-адреса полезны, если необходимо чтобы пользователь / клиент мог загружать определенный объект в бакет, но не требуется, чтобы у них были учетные данные или разрешения безопасности MCS.
С помощью предварительно подписанных URL произвольный пользователь может выполнять в Объектном хранилище операции, например:
При создании предварительно подписанного URL-адреса необходимо предоставить :
Предварительно подписанные URL-адреса действительны только в течение указанного срока. Возможно использование предварительно подписанного URL-адреса несколько раз, вплоть до даты и времени истечения срока действия.
Примечание
В SDK AWS по умолчанию используется подпись версии 4 для аутентификации запросов. При использовании пакетов SDK AWS с подписью версии 3, может потребоваться запросить у сервиса версию подписи 4.
Общий вид подписанного URL
Составление подписанного URL
Для получения предварительно подписанного URL следует:
Примечание
Для составления подписанного URL необходимо владеть статическими ключами доступа.
Примеры получения подписанной ссылки
С помощью S3 CLI можно сгенерировать предварительно подписанную ссылку следующей командой:
Presigned URLs¶
A user who does not have AWS credentials or permission to access an S3 object can be granted temporary access by using a presigned URL.
A presigned URL is generated by an AWS user who has access to the object. The generated URL is then given to the unauthorized user. The presigned URL can be entered in a browser or used by a program or HTML webpage. The credentials used by the presigned URL are those of the AWS user who generated the URL.
A presigned URL remains valid for a limited period of time which is specified when the URL is generated.
The user can download the S3 object by entering the presigned URL in a browser. A program or HTML page can download the S3 object by using the presigned URL as part of an HTTP GET request.
The following code demonstrates using the Python requests package to perform a GET request.
Using presigned URLs to perform other S3 operations¶
The main purpose of presigned URLs is to grant a user temporary access to an S3 object. However, presigned URLs can be used to grant permission to perform additional operations on S3 buckets and objects.
The create_presigned_url_expanded method shown below generates a presigned URL to perform a specified S3 operation. The method accepts the name of the S3 Client method to perform, such as ‘list_buckets’ or ‘get_bucket_location.’ The parameters to pass to the method are specified in the method_parameters dictionary argument. The HTTP method to use (GET, PUT, etc.) can be specified, but the AWS SDK for Python will automatically select the appropriate method so this argument is not normally required.
Generating a presigned URL to upload a file¶
A user who does not have AWS credentials to upload a file can use a presigned URL to perform the upload. The upload operation makes an HTTP POST request and requires additional parameters to be sent as part of the request.
The generated presigned URL includes both a URL and additional fields that must be passed as part of the subsequent HTTP POST request.
The following code demonstrates how to use the requests package with a presigned POST URL to perform a POST request to upload a file to S3.
The presigned POST URL and fields values can also be used in an HTML page.
Sharing an object with a presigned URL
All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.
When you create a presigned URL for your object, you must provide your security credentials, specify a bucket name, an object key, the HTTP method (GET to download the object), and the expiration date and time. Presigned URLs are valid only for the specified duration.
Anyone who receives the presigned URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a presigned URL.
Anyone with valid security credentials can create a presigned URL. However, in order to successfully access an object, the presigned URL must be created by someone who has permission to perform the operation that the presigned URL is based upon.
The credentials that you can use to create a presigned URL include:
IAM instance profile: Valid up to 6 hours
AWS Security Token Service : Valid up to 36 hours when signed with permanent credentials, such as the credentials of the AWS account root user or an IAM user
IAM user: Valid up to 7 days when using AWS Signature Version 4
To create a presigned URL that’s valid for up to 7 days, first designate IAM user credentials (the access key and secret access key) to the SDK that you’re using. Then, generate a presigned URL using AWS Signature Version 4.
If you created a presigned URL using a temporary token, then the URL expires when the token expires, even if the URL was created with a later expiration time.
Because presigned URLs grant access to your Amazon S3 buckets to whoever has the URL, we recommend that you protect them appropriately. For more details about protecting presigned URLs, see Limiting presigned URL capabilities.
Generating a presigned URL
You can use the AWS Management Console to generate a presigned URL for an object by following these steps.
To generate a presigned URL using the AWS Management Console
In the Buckets list, choose the name of the bucket that contains the object that you want a presigned URL for.
In the Objects list, select the object that you want to create a presigned URL for.
On the Actions menu, choose Create presigned URL.
Specify how long you want the presigned URL to be valid.
Choose Create presigned URL.
When a confirmation appears, you will see a button to copy the presigned URL to your clipboard.
If you are using Visual Studio, you can generate a presigned URL for an object without writing any code by using AWS Explorer for Visual Studio. Anyone with this URL can download the object. For more information, go to Using Amazon S3 from AWS Explorer.
For instructions on how to install the AWS Explorer, see Developing with Amazon S3 using the AWS SDKs, and explorers.
The following examples generate a presigned URL that you can give to others so that they can retrieve an object. For more information, see Sharing an object with a presigned URL.
The following example generates a presigned URL that you can give to others so that they can retrieve an object. For more information, see Sharing an object with a presigned URL.
You can use SDK for Go to upload an object. You can send a PUT request to upload data in a single operation. For more information, see Generate a Pre-Signed URL for an Amazon S3 PUT Operation with a Specific Payload in the AWS SDK for Go Developer Guide.
The following example generates a presigned URL that you can give to others so that they can retrieve an object from an S3 bucket. For more information, see Sharing an object with a presigned URL.
For instructions on creating and testing a working sample, see Testing the Amazon S3 Java Code Examples.
For more information about using AWS SDK for PHP Version 3 to generate a presigned URL, see Amazon S3 pre-signed URL with AWS SDK for PHP Version 3 in the AWS SDK for PHP Developer Guide.
Generate a presigned URL to share an object by using the SDK for Python (Boto3). For example, use a Boto3 client and the generate_presigned_url function to generate a presigned URL that GETs an object.
For a complete example that shows how to generate presigned URLs and how to use the Requests package to upload and download objects, see the PHP presigned URL example on GitHub. For more information about using SDK for Python (Boto3) to generate a presigned URL, see Python in the AWS SDK for PHP API Reference.
Uploading objects using presigned URLs
A presigned URL gives you access to the object identified in the URL, provided that the creator of the presigned URL has permissions to access that object. That is, if you receive a presigned URL to upload an object, you can upload the object only if the creator of the presigned URL has the necessary permissions to upload that object.
All objects and buckets by default are private. The presigned URLs are useful if you want your user/customer to be able to upload a specific object to your bucket, but you don’t require them to have AWS security credentials or permissions.
When you create a presigned URL, you must provide your security credentials and then specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time. The presigned URLs are valid only for the specified duration. That is, you must start the action before the expiration date and time. If the action consists of multiple steps, such as a multipart upload, all steps must be started before the expiration, otherwise you will receive an error when Amazon S3 attempts to start a step with an expired URL.
You can use the presigned URL multiple times, up to the expiration date and time.
Presigned URL access
Since presigned URLs grant access to your Amazon S3 buckets to whoever has the URL, we recommend that you protect them appropriately. For more details about protecting presigned URLs, see Limiting presigned URL capabilities.
Anyone with valid security credentials can create a presigned URL. However, for you to successfully upload an object, the presigned URL must be created by someone who has permission to perform the operation that the presigned URL is based upon.
Generate a presigned URL for object upload
If you are using Microsoft Visual Studio, you can also use AWS Explorer to generate a presigned object URL without writing any code. Anyone who receives a valid presigned URL can then programmatically upload an object. For more information, see Using Amazon S3 from AWS Explorer. For instructions on how to install AWS Explorer, see Developing with Amazon S3 using the AWS SDKs, and explorers.
You can use the AWS SDK to generate a presigned URL that you, or anyone you give the URL, can use to upload an object to Amazon S3. When you use the URL to upload an object, Amazon S3 creates the object in the specified bucket. If an object with the same key that is specified in the presigned URL already exists in the bucket, Amazon S3 replaces the existing object with the uploaded object.
Examples
The following examples show how to upload objects using presigned URLs.
To successfully complete an upload, you must do the following:
Specify the HTTP PUT verb when creating the GeneratePresignedUrlRequest and HttpURLConnection objects.
Interact with the HttpURLConnection object in some way after finishing the upload. The following example accomplishes this by using the HttpURLConnection object to check the HTTP response code.
This example generates a presigned URL and uses it to upload sample data as an object. For instructions on creating and testing a working sample, see Testing the Amazon S3 Java Code Examples.
For an AWS SDK for JavaScript example on using the presigned URL to upload objects, see Create a presigned URL to upload objects to an Amazon S3 bucket.
The following AWS SDK for JavaScript example uses a presigned URL to delete an object:
Generate a presigned URL to upload an object by using the SDK for Python (Boto3). For example, use a Boto3 client and the generate_presigned_url function to generate a presigned URL that PUTs an object.
For a complete example that shows how to generate presigned URLs and how to use the Requests package to upload and download objects, see the Python presigned URL example on GitHub. For more information about using SDK for Python (Boto3) to generate a presigned URL, see Python in the AWS SDK for Python (Boto) API Reference.
Create an instance of the Aws::S3::Resource class.
Provide a bucket name and an object key by calling the #bucket[] and the #object[] methods of your Aws::S3::Resource class instance.
Anyone with the presigned URL can upload an object.
The upload creates an object or replaces any existing object with the same key that is specified in the presigned URL.
Amazon S3 Pre-Signed URL with AWS SDK for PHP Version 3
You can authenticate certain types of requests by passing the required information as query-string parameters instead of using the Authorization HTTP header. This is useful for enabling direct third-party browser access to your private Amazon S3 data, without proxying the request. The idea is to construct a “pre-signed” request and encode it as a URL that an end-user’s browser can retrieve. Additionally, you can limit a pre-signed request by specifying an expiration time.
The following examples show how to:
Create a pre-signed URL to get an S3 object using createPresignedRequest.
Credentials
Before running the example code, configure your AWS credentials, as described in Credentials for the AWS SDK for PHP Version 3. Then import the AWS SDK for PHP, as described in Basic Usage Patterns of the AWS SDK for PHP Version 3.
Creating a Pre-Signed Request
You can get the pre-signed URL to an Amazon S3 object by using the Aws\S3\S3Client::createPresignedRequest() method. This method accepts an Aws\CommandInterface object and expired timestamp and returns a pre-signed Psr\Http\Message\RequestInterface object. You can retrieve the pre-signed URL of the object using the getUri() method of the request.
The most common scenario is creating a pre-signed URL to GET an object.
Creating a Pre-Signed URL
You can create pre-signed URLs for any Amazon S3 operation using the getCommand method for creating a command object, and then calling the createPresignedRequest() method with the command. When ultimately sending the request, be sure to use the same method and the same headers as the returned request.
Getting the URL to an Object
If you only need the public URL to an object stored in an Amazon S3 bucket, you can use the Aws\S3\S3Client::getObjectUrl() method. This method returns an unsigned URL to the given bucket and key.
The URL returned by this method is not validated to ensure that the bucket or key exists, nor does this method ensure that the object allows unauthenticated access.