Generating Secure S3 GET Presigned URLs with the AWS SDK in Python

Prerequisites

• Python 3.x installed
• AWS credentials configured in ~/.aws/credentials

1. Install Python 3 and Required Packages:

   sudo yum install python3 -y

2. Configure AWS Credentials:

   • Ensure credentials are set up in ~/.aws/credentials.
   • Adhere to AWS authentication best practices for security.

---

Step 1: Create the Python Script

This Python script generates a GET presigned URL for downloading files from an S3 bucket. It uses the AWS SDK to create a temporary link that can be shared with others.

1. Create and Configure the Script:

   vim get-only-url.py
   chmod +x get-only-url.py

2. Python Code: Save the following as get-only-url.py:

   import argparse
   import boto3
   from botocore.exceptions import ClientError
   
   def generate_presigned_url(s3_client, client_method, method_parameters, expires_in):
       """
       Generate a presigned Amazon S3 URL that can be used to perform an action.
       
       :param s3_client: A Boto3 Amazon S3 client.
       :param client_method: The name of the client method that the URL performs.
       :param method_parameters: The parameters of the specified client method.
       :param expires_in: The number of seconds the presigned URL is valid for.
       :return: The presigned URL.
       """
       try:
           url = s3_client.generate_presigned_url(
               ClientMethod=client_method,
               Params=method_parameters,
               ExpiresIn=expires_in
           )
       except ClientError:
           print(f"Couldn't get a presigned URL for client method '{client_method}'.")
           raise
       return url
   
   def main():
       parser = argparse.ArgumentParser()
       parser.add_argument("bucket", help="The name of the bucket.")
       parser.add_argument("key", help="The key (path and filename) in the S3 bucket.")
       args = parser.parse_args()
       
       # By default, this will use credentials from ~/.aws/credentials
       s3_client = boto3.client("s3")
       
       # The presigned URL is specified to expire in 1000 seconds
       url = generate_presigned_url(
           s3_client,
           "get_object",  # Specifies the GET operation for downloading
           {"Bucket": args.bucket, "Key": args.key},
           1000
       )
       print(f"Generated GET presigned URL: {url}")
   
   if __name__ == "__main__":
       main()

---

Step 2: Generate the Presigned URL

Run the script with your bucket name and object key to generate a presigned URL for downloading a file.

Command:

python get-only-url.py <bucket-name> <object-key>

Example:

python get-only-url.py bucket-name example-file.jpg

Output: The script will display a presigned URL valid for 1000 seconds (approximately 16.7 minutes). For example:

Generated GET presigned URL: https://bucket-name.s3.amazonaws.com/example-file.jpg?AWSAccessKeyId=***&Signature=***&Expires=***

---

Step 3: Use the Presigned URL

Share the generated URL with others, who can use it to download the file directly from S3. The URL can be accessed via a web browser or a tool like curl.

Command (using curl):

curl "generated-presigned-url" -o "local-filename"

Example:

curl "https://bucket-name.s3.amazonaws.com/example-file.jpg?AWSAccessKeyId=***&Signature=***&Expires=***" -o "example-file.jpg"

Alternatively, users can paste the URL into a browser to download the file manually.

---

Important Notes

1. The presigned URL expires after the specified time (1000 seconds in this example).
2. Ensure the file exists in the specified S3 bucket and the object key matches the file’s location.
3. Verify that your AWS credentials have permission to generate presigned URLs and access the S3 object.
4. The URL contains sensitive information; share it securely and avoid exposing it publicly unless intended.

---

References

1. Sharing objects with presigned URLs
2. Create a presigned URL for Amazon S3 using an AWS SDK