AWS S3 and Presigned URL

What are the “presigned URL” in S3? For me, when I first read about it, It sound me a little strange feature, but, when you are preparing yourself for an AWS certification, like AWS solution Architect Associated (SAA-CO2), this is a concept that appear from time on time, and you, definitely need to understand it, if want to get ready in your exam preparation. So, let’s go for it!

First of all, according the official doc, the only way to build a presigned URL is with one of the AWS SDK. And, in our case, we are going to use de AWS SDK for Java

After said that, let’s start the post:

Step 01: Starting from the last Step!

Let’s start from the end, the last step, to have one idea about we are going to:

I already have a Java 8 Maven project, with the Maven pom.xml with the dependences to AWS SDK for Java and the sample code from AWS to generate the presigned URL, so, after run it … I get the code 200 with everything Ok:

Last picture: AWS Presingned URL create from AWS SDK from Java

We can see that, when we are executing the Java Program “GeneratingPresignedUrlAndUploadObject”, the “Presigned URL” is created and it is printed in the log, and one object is uploaded to an S3 and the API return a 200 (ok) Status Code

URL Presigned URL created, and Upload “miobject” in S3 and return a 200 status code

The 200 status code means that the “miobject” was successful created in the S3 bucket:

One Object is created On S3 after printed the 200 status code

Let’s see that the bucket didn’t have public access permissions, but the Java code was able to put a new object from and build the “Presigned URL” for it:

Bucket private

According to the official doc with the presigned URL that we have just generated, we can give it to anyone, and although the bucket is still private, the receptor of the presigned URL will be able to access to this buckets objects as soon as the presigned URL creator have this permission ….

In short, If I want to give some permission on a bucket to someone, I can build with one AWS SDK a presigned URL, and give that URL to someone, to let access to bucket resourses, that remain private for everyone but still accesible for me as owner and the person that I gave the presigned URL

Step 02: recap: Where is te code?

This is the sample code:

GeneratingPresignedUrlAndUploadObject Sample Java Code

You can get it from the Java Maven Project working on my public repo:

Java Project with the pom.xml and the GeneratingPresignedUrlAndUploadObject.java

Or, in either case, you can get it from, the original AWS Documentation

https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObjectJavaSDK.html

Step 03: Let’s build and run

When you have have the source code available is just the half of the road: you need to build and run it, dealing with some things like dependences and environment variables, so, the “plus” in this post, is also show you how is possible to build, and run the source code.

$ git clone https://github.com/PabloEzequiel/shared-images.git
$ cd shared-images/lambda/java-aws-sample
$ mvn clean install

git clone https://github.com/PabloEzequiel/shared-images.git

mvn clean install

Let’s exec the app with:

$ mvn exec:java -Dexec.mainClass="aws.s3sample.GeneratePresignedUrlAndUploadObject"

The Bucket “ninja-presigned-web” don’t exist on S3

There is an error, but that is correct: we need to create the bucket in S3, and upload on IT one S3 object, so, let’s do it now, in the next step:

Step 04: Let’s Upload (PUT) the Object in S3

In the source code we have the name that we should give to the bucket and the name of the object to upload on it:

The bucket name (to create) and the object name (to upload)

First, let’s run $ aws configure to be sure that we are in the right account, and later we can validate it with: $ aws get-sts-identity

aws configure

Let’s create the bucket with default (private) access:

Let’s create the bucket with default (private) access

The Bucket is Private

And now, with the bucket created, let’s exec the app again:

$ mvn exec:java -Dexec.mainClass="aws.s3sample.GeneratePresignedUrlAndUploadObject"

We get 200 ok ~> The Object was created and we get the presigned URL

We get the presigned URL, and the Object Created

The Object Created

Let’s Observe the Java Code:

Method PUT in the Presigned URL ~ Text in the Object

Step 05: Let’s Recover (GET) the Object from S3

Now, the last step is to use the presigned URL, and for simplicity, we will use the presinged URL that we have createdto be accessed with the GET method:

Using The presigned URL to access to the Object by GET (on a private Bucket)

So, thanks to presigned URL, is posible to recover the Object from a private bucket, and to use it, the user don’t need to interact wit the AWS console, just with the presigned URL that we have generated for him.

Final words

Ok, I will stop the post at this point. We have been able to show from a practical point of view, what is the idea of presigned URL, to give access to someone to our private resources for a short period of time, and how to generate and use it.

That is an interesting concept to understand because it is presente and frequently referenced in AWS certification material as use cases.

I hope you enjoyed it, and let’s see us in the another post!

Pablo

Resources

• The Source Code of This Post can be found on my personal GitHub
• This post have something about Java, and this is a good post about How to start with Java and Maven
• The Official Doc about presigned URL deal with this concept in detail, but later is up to you make it work, so, that is the idea of one post like this, to show you how the thinks are working.