By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Is there a way to pass user-specific details (such as user ID or email) when generating the presigned URL to view file in S3?

0

We have a setup where users can view files stored in S3 by calling a backend API that generates a presigned URL for the file. This presigned URL is generated using an S3 Object Lambda Access Point. When the user accesses the file via the presigned URL, the Object Lambda is triggered to apply masking for PII entities.

Currently, the PII masking logic is based on a hardcoded JSON configuration. However, we want to make this dynamic based on the user requesting the file. For example, the type or level of masking should depend on the specific user’s permissions.

I’m looking for a way to include some unique identifier (e.g., email, user ID, or any other user-specific data) in the presigned URL or request so that the Object Lambda can retrieve user details dynamically and apply the appropriate masking.

Is there a way to pass user-specific details (such as user ID or email) when generating the presigned URL?

asked 13 days ago32 views
2 Answers
0

There are several ways to do this. I prefer to work with Json Web Tokens.

var token = GenerateJwtToken(user);
presignedUrl = presignedUrl + "&token=" + token;

More on this here: https://jwt.io/

profile picture
EXPERT
answered 12 days ago
  • Oops! That does not work for me.

    Below is my code: export const generatePresignedUrl = async (myKey: string, myBucketName: string) => const command = new GetObjectCommand({ Bucket: myBucketName, Key: myKey, ResponseContentDisposition: inline;, }); const presignedUrl = await getSignedUrl(s3Client, command, { expiresIn: 300 });

    const urlWithParams = ${presignedUrl}&user=musthafa;

    return urlWithParams; };

    Whenever I append any additional parameters, it throws an InvalidSignature error. However, when I remove the additional parameters, it works as expected.

0

When generating an S3 presigned URL, it's important to note that user-specific parameters cannot be directly passed. Instead, AWS S3 supports specific parameters that can be included in the presigned URL request. These allow for more granular control over object retrieval. They are:

Bucket, IfMatch, IfModifiedSince, IfNoneMatch, IfUnmodifiedSince, Key, Range, ResponseCacheControl, ResponseContentDisposition, ResponseContentEncoding, ResponseContentLanguage, ResponseContentType, ResponseExpires, VersionId, SSECustomerAlgorithm, SSECustomerKey, SSECustomerKeyMD5, RequestPayer, PartNumber, ExpectedBucketOwner

Here is a sample code of how to include these parameters in your presigned URL.

import boto3
from botocore.client import Config

# Get the service client with sigv4 configured
s3 = boto3.client('s3', config=Config(signature_version='s3v4'))

# Generate the URL
# URL expires in 3600 seconds
url = s3.generate_presigned_url(
    ClientMethod='get_object',
    Params={
        'Bucket': 'testbucket',
        'Key': 'TestFile.txt',
        'ResponseCacheControl': 'no-cache',
        'ResponseContentType': 'txt',
        'ResponseContentDisposition': 'example.txt'
    },
    ExpiresIn=3600
)

print(url)

You may be able to have this logic setup on the client side where you would determine permissions of the user and send the request to certain Lambda access points.

AWS
answered 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions