How to generate temporary download links to S3 objects


aws security snippets

S3 has a feature which allows you to generate signed URLs which are valid only for a predefined period of time. This makes it much safer to distribute URLs via email/slack etc..

Process

  1. Find the object in the S3 console and note the bucket name and object path.
  2. Ensure your AWS credentials are loaded into your environment.
  3. Use the AWS CLI to create a pre-signed URL:

    # TTL is the number of seconds until the URL expires.
    # - 86400:   24 hours
    # - 604800:  7 days
    # - 2592000: 30 days
    TTL=604800
    BUCKET=bucket-name
    OBJECT=object/path.tgz
    
    aws s3 presign s3://${BUCKET}/${OBJECT} --expires-in ${TTL}
    
  4. Send the resulting URL to the intended recipient (ensure you include a note about its expiration). The link should look something like this:

    https://bucket-name.s3.amazonaws.com/object/path.tgz?AWSAccessKeyId=AKIAJ54UGSPNBHHHHGA&Expires=1516229734&Signature=XUi654DFIbAs55QJGnMuD92fZ%2FQ%3D