Signed URLs for private objects in Spaces

September 20, 2017 5.6k views
Ubuntu 16.04 Python
mikeckennedy
By:
mikeckennedy

Hi,

I currently have a set of files on S3 that are private. I need to temporarily generate a public, signed URL. This works with the boto API (see the code at the end). How can I do this programmatically with Spaces?

Code example:

conn = S3Connection(access_key, secret_key)

return conn.generate_url(
    expires_in=expiry_in_sec,
    method='GET',
    bucket=MediaService.__find_bucket_name_from_url(raw_url),
    key=MediaService.__find_path_from_url(raw_url),
    query_auth=True,
    force_http=(not https)
)

Does the S3 compatibility work for generate_url?

Thanks,
Michael

Log In to Comment
4 Answers
asb MOD September 21, 2017

Currently pre-signed URLs generated using the AWS v4 signature type are not supported. Unfortunately, v4 signatures are the default in most places, so this can cause some issues. Luckily, most clients allow you to override this.

Using boto3, you can configure your session to use the v2 signature type with:

import boto3
from botocore.client import Config

session = boto3.session.Session()

client = session.client('s3',
                        region_name='nyc3',
                        endpoint_url='https://nyc3.digitaloceanspaces.com',
                        aws_access_key_id='MYACCESSKEY',
                        aws_secret_access_key='MYSECRETKEY',
                        config=Config(signature_version='s3'))

(Passing s3 as the value for signature_version will force v3 signature. While v4 is the defualt, you can explicitly use it by passing s3v4.)

Then you can generate a functioning pre-signed url using:

url = client.generate_presigned_url(ClientMethod='get_object', 
                                    Params={'Bucket': 'my-bucket',
                                            'Key': 'my-object'},
                                    ExpiresIn=300)

Note the ExpiresIn argument. By default, pre-signed URLs will expire in an hour (3600 seconds). This example sets it to expire in 5 minutes. See the boto3 docs for more info.

Reply
  • mikeckennedy September 21, 2017

    Thanks. I appreciate the guidance! How do I set the duration of the signature in this variant?

    Best,
    Michael

    • asb MOD September 21, 2017

      @mikeckennedy No problem! I’ve updated the example to demonstrate that using the ExpiresIn argument. By default, the duration is 3600 seconds.

  • frusertwo February 22, 2019

    getting this output

    <Error>
    <Code>SignatureDoesNotMatch</Code>
    <RequestId>tx0000000000000d0e93945-005c703afd-2247df-sgp1a</RequestId>
    <HostId>2247df-sgp1a-sgp</HostId>
    </Error>

zeltiche April 27, 2018

Is AWS v4 signature supported now? (almost May 2018)

Is there a ruby example instead of python’s boto3?

Reply
  • mjc August 24, 2019

    Looks like v4 signatures are supported. I’ve successfully generated presigned URL and uploaded a file to Spaces with:
    aws.config.signatureVersion = 'v4'; in JavaScript aws-sdk module.

mikeckennedy November 15, 2017

That works perfect, thank you.

Reply
cloud659adf5b95 August 26, 2019

As of 26 August 2019 , aws-java-sdk-s3 version 1.11.616 works perfectly , no need to change anything

Reply
Have another answer? Share your knowledge.

Related