Signed URIs
The access control settings available is S3âs ACLs provide a powerful mechanism for sharing your S3 resources with third parties, however there are some situations where ACLs may not provide as much flexibility as you would wish. For example, you may have sensitive resources in S3 that you wish to make available to someone else, who is not a member of S3, but you are not prepared to make these resources public. Or you may wish to make a resource available for only a limited time.
To handle such scenarios, S3 includes a mechanism for creating preauthenticated request messages called signed URIs. A signed URI is authenticated in advance to perform an operation and can be used by anyone to access a resource in S3.
A signed URI looks like a standard S3 URI except that it includes three additional parameters:
- AWSAccessKeyId
The AWS Access Key of the account holder.
- Expires
This value indicates the time when the signed URI will expire, specified as the number of seconds since January 1, 1970. The URI will expire at this time and cannot be used afterwards.
- Signature
The signature value preauthenticates the request message.
Example 3-20 defines a method that generates a time-limited, signed URI.
Example 3-20. Generate signed URI: S3.rb
def sign_uri(method, expires, bucket_name, object_key='', opts={}) parameters = opts[:parameters] || [] headers = opts[:headers] || {} headers['Date'] = expires uri = generate_s3_uri(bucket_name, object_key, parameters) signature = generate_rest_signature(method, ...Get Programming Amazon Web Services now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
