The use of signed URLS are well documented out on the web and the AWS S3 documentation covers using S3 with signed URLs through various SDKs, so this entry is purely an example use case using Python for quick reference (if only for myself!).
We’re using Python 2.7.6 with Boto3 1.3.1, and the AWS client tools.
For this walkthrough we’ll use the scenario of having private resources stored in S3 for which you want to grant temporary access to. A real world example of this might be a software site with downloadable content restricted to site members.
We’ll start off by creating a private S3 bucket (limited only to it’s creator and owner):
We’ll then upload an html file to the bucket, and leave this with default private permissions as well.
If we now try and access the file in a browser using the link shown above, we should get an access denied message:
So we’re happy that the content is now private and restricted only to the bucket owner/creator.
What we’ll now do is create an IAM user that has access to read only this bucket and it’s contents. We’ll do this with an inline policy. When creating the user, ensure you download/save the access ID and secret key as we’ll need those later.
For reference, the policy content looks like this:
Once this is set, we’ll test access by configuring our AWS client credentials with this user’s access ID and secret keys:
A quick test of the AWS S3 client shows us our privileges are set – the user has no visibility of other buckets, but can see the contents of dsdemobck:
Next then, we’ll create a quick python script to generate the signed url, which will by default use our IAM user’s credentials and profile.
This call will generate and output a signed URL for the html page which expires after 60 seconds.
You’ll notice that the access key ID is built into the output string. If we now copy and paste that URL into our browser, we should see the following:
Access to the content was granted successfully. To ensure the signed URL expires correctly, we simply wait for a minute and then reload the page:
So, by combining S3, IAM and a small amount of scripting we now have the essentials for creating a framework wherein we can grant access to restricted content to non AWS account holders on a temporary basis.