2

I'm giving to a client a presigned url for put_object method:

Server:

s3_client = boto3.client('s3')
res = s3_client.generate_presigned_url('put_object', Params = {'Bucket': 'my-bucket', 'Key': 'filepath/inside-bucket/filename.json'}, ExpiresIn = 3600)

Now, if the client sends the presigned url back to the server, how can the server validate the url is valid (signature)?
Ideally I would like to call an s3 service function to do that.
As I see there is no way to generate presigned url for multiple methods (head_object + put_object)

My use case is:

  • client gets a presigned url from my server API with put_object permission.
  • client put_object to S3 using the presigned url.
  • client calls my server API with the presigned url + extra metadata
  • my server API stores the s3 key in DB with the extra metadata. The API should validate the s3 key exists (easy to extract from the presigned url), and to check the presigned url is valid (how?)

I know I can use lambda s3 trigger, but that will make the process async, more difficult to know when the object was handling we completed.

smac2020
  • 9,637
  • 4
  • 24
  • 38
user3599803
  • 6,435
  • 17
  • 69
  • 130

1 Answers1

2

The pre-signed URL simply includes a hashed signature of the parameters included with the request, signed with the Secret Key.

If you have the Secret Key of the Access Key shown in the request, you can create the hashed signature yourself and verify that the signature is correct (if the hashes match).

There is code available in: StackOverflow: AWS S3 presigned urls with boto3 - Signature mismatch

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470