How do I generate pre-signed URLs for temporary access with Wasabi?

Sharing Files Using Pre-signed URLs

All objects in your bucket, by default, are private. These objects are only accessible by the object owner’s permission. However, there might be instances where the object owner might have to share these objects with others by creating a pre-signed URL, using their own security credentials, for a specific duration of time to download the objects.

To create a valid pre-signed URL (that is valid for up to 7 days) for your object, you must provide your security credentials, specify a bucket name, an object key, specify the HTTP method (for instance the method is "GET" to download the object) and expiration date and time.

Anyone who receives the pre-signed URL can then access the object. For instance, imagine you may want to share a presentation with a collaborator, or you want to allow a friend to download a video file you are storing in your bucket. In both situations, you could generate a pre-signed URL, then email or message them the URL which would allow the recipient short-term access.

Several approaches to generating a valid pre-signed URL are listed below:

1. Using the AWS CLI

2. Using the AWS Tools for Powershell

3. Using the S3 Browser

4. Using Wasabi Explorer

5. Using pre-signed S3 URLs for temporary, automated access in your application code

   1. Python and Boto3

   2. aws-sdk for Nodejs

   3. AWS SDK for PHP (V2)

Using the AWS CLI

To generate a pre-signed S3 URL with the AWS CLI, you can simply use the aws s3 pre-sign command.

On a Windows system, the command is:

"C:\Program Files\Amazon\AWSCLI\aws.exe" s3 presign s3://yourbucket/presentation.ppt --endpoint-url https://s3.wasabisys.com

This will return the URL that you will then provide, for example:

https://yourbucket/presentation.ppt?AWSAccessKeyId=T43W6LLO9TVP12345ABC&Expires=1553550766&Signature=AC7uJ8L9E30PwWtJIHXVWV%2FEuSg%3D

On a Mac or Linux system, the command is:

$ aws s3 presign s3://yourbucket/presentation.ppt --endpoint-url https://s3.wasabisys.com

NOTE: The above command runs for the default profile when you run aws configure. Use the -- profile option if the Wasabi credentials are under a different profile.

Using the AWS Tools for Powershell

If you use the AWS Tools for Powershell , you can use the Get-S3PreSignedURLcmdlet to generate a pre-signed S3 URL in your Powershell.

The syntax is:

Get-S3PreSignedURL -Bucket yourbucket -Key presentation.ppt -Expire 2019-03-26 -EndpointUrl "https://s3.wasabisys.com"

Generating a pre-signed S3 URL with S3 Browser

The S3 Browser PRO version can be used to generate a one-off pre-signed S3 URL. Simply follow the steps below.

First, choose the object for which you want to generate a pre-signed S3 URL, then right-click on the object and then click on "Generate Web URL" button, as shown in the image below.

Generating a pre-signed S3 URL with Wasabi Explorer

Wasabi Explorer is the easiest way to generate a one-off pre-signed S3 URL. Simply follow the steps below.

First, choose the object for which you want to generate a pre-signed S3 URL, then click the "Web URL" button, as shown in the image below.

Second, choose whether you want an HTTP or HTTPS URL. You should prefer an HTTPS URL as the query string parameters, including the Access Key and signature, will be sent over a secure connection. Then click the box to "Expire URL at certain date", and choose when you want it to expire. Finally, click "Generate", then copy the URL that is shown in the box, as shown in the image below.

Using pre-signed S3 URLs for temporary, automated access in your application code

The examples shown above are useful for generating a single pre-signed S3 URL that you need for an ad hoc use case. More commonly, you may have an application that needs to programmatically generate short-term access to a Wasabi bucket.

Some examples of this programmatic usage include:

• Your application generates invoice PDFs at the end of a billing cycle and stores the PDFs on Wasabi. You need to provide a link for your users to download the PDF of their invoice.

• Your application allows users to upload videos to your Wasabi bucket. You would like users to upload directly from their browser, rather than sending the video to your servers, without leaking credentials to the browser.

You can perform both of these operations with the  AWS SDKs for any language. Below are examples of how to use  Boto 3, the AWS SDK for Python, to generate pre-signed S3 URLs in your application code.

Generating a pre-signed S3 URL for reading an object in your application code with Python and Boto3

As mentioned above, you may want to provide temporary read access to a Wasabi object to a user of your application, such as downloading a PDF of an invoice. The code snippet below shows how you would do it in your application code.

First, we import the boto3 library and construct a client to interact with Wasabi. Then, we generate a pre-signed S3 URL that will allow the GetObject API call on the object we specify:

import boto3

s3 = boto3.client('s3',
endpoint_url = 'https://s3.wasabisys.com',
aws_access_key_id = '',
aws_secret_access_key = '')

url = s3.generate_presigned_url(
    ClientMethod='get_object',
    Params={
        'Bucket': 'your-bucket-name',
        'Key': 'invoice.pdf'
    }
)
print(url)

# https://your-bucket-name.s3.wasabisys.com/invoice.pdf?AWSAccessKeyId=AKIALGKOKBY37F5FZF4I&Signature=bPSs8Kcak%2FgjEqqjOO5cFS022x0%3D&Expires=1531446995

The resulting URL could be sent to our user to view in their browser and receive temporary access to the invoice.

Generating a pre-signed S3 URL for uploading an object in your application code with Python and Boto3

You can generate a pre-signed S3 URL that can be used for POST requests. This can be useful for allowing clients to upload large files. Rather than sending the large file through your application's servers, the client can upload the file directly from the browser via tightly-scoped permissions.

Imagine I want to allow a user to upload a file to my cloudberry-examples bucket with the key name of uploads/image.jpg. In the example below, I use the generate_presigned_post method to construct the URL and return it to the client. I can even add conditions onto the request, such as ensuring the file size is no larger than 1 MB:

import boto3

s3 = boto3.client('s3',
endpoint_url = 'https://s3.wasabisys.com',
aws_access_key_id = '',
aws_secret_access_key = '')

response = s3.generate_presigned_post(
    Bucket='your-bucket-name',
    Key='uploads/image.jpg',
    Conditions=[
        ['content-length-range', 1, 1048579]
    ]
)
 
print(response)
{'url': 'https://your-bucket-name.s3.wasabisys.com/', 'fields': {'key': 'uploads/image.jpg', 'AWSAccessKeyId': 'AKIALGKOKBY37F5FZF4I', 'policy': 'eyJleHBpcmF0aW9uIjogIjIwMTgtMDctMTNUMDI6Mzg6MTBaIiwgImNvbmRpdGlvbnMiOiBbWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDEsIDEwNDg1NzldLCB7ImJ1Y2tldCI6ICJjbG91ZGJlcnJ5LWV4YW1wbGVzIn0sIHsia2V5IjogInVwbG9hZHMvaW1hZ2UuanBnIn1dfQ==', 'signature': 'ZY7Orehfdzg+ToJJXhYuV/XyK5o='}}

The response will include a URL property, as well as a fields property with a set of key-value pairs. The fields key-value pairs must be sent with the file as part of a multipart/form-data request.

Generating a pre-signed S3 URL for uploading an object in your application code with aws-sdk for Nodejs

const ep = new AWS.Endpoint('s3.wasabisys.com');
const s3 = new AWS.S3({endpoint: ep});
var uuid = require('uuid');

const presignedUpload = () =>{
    let url = s3.getSignedUrl('putObject', {
        Bucket: 'izotope-test',
        Key: 'invoice.pdf',
        ContentType:'application/pdf',
        ACL: 'bucket-owner-full-control',//filename
        Expires: '100' //time to expire in seconds
    });
    console.log(url);
};