This projects aims to demonstrate how secure file sharing works with presigned URL and AWS . Learn what presigned URLs are, how they differ from regular URLs obtained after uploading files, and the advantages they offer.
A presigned URL is a time-limited URL that provides secure and temporary access to a specific resource, such as a file in an AWS S3 bucket. It is generated with cryptographic signatures, ensuring its authenticity and tamper-proof nature. Presigned URLs are commonly used for granting controlled access to files without exposing storage credentials.
STEP 1 : A user communicates to the server that they intend to upload a file.
STEP 2 : The server recognizes the user and assesses that the user is authorized to perform the upload. Then the server uses its own credentials to generate an S3 pre-signed URL for uploading an object with a predetermined name into a given S3 bucket.
STEP 3 : The user receives the pre-signed URL from the server.
STEP 4 : The user makes an HTTP request (PUT or POST) to the received pre-signed URL attaching the file to be uploaded as request payload. Once the request is completed the uploaded file will be available in S3.
STEP 1: The user requests the server the file myexpenses.csv.
STEP 2: The server recognizes the user and somehow verifies that they can have access to myexpenses.csv. Then the server uses its own credentials to generate an S3 pre-signed URL to get myexpenses.csv.
STEP 3: The user receives the pre-signed URL from the server.
STEP 4: The user makes an HTTP request (GET) to the received pre-signed URL to download the file directly from S3.
This is probably the most common kind of pre-signed URL that you will see in the wild. As we discussed before, you can use GET pre-signed URLs to allow a user to download a specific object from an S3 bucket without needing them to have valid AWS credentials or to use the AWS SDK. One way to generate this kind of URL is by using the AWS CLI.
Pre-signed PUT URLs can be used to authenticate uploads to S3. These are called PUT requests because they are built on top of regular HTTP PUT requests.
It’s important to appreciate that the server never talks directly to S3. It can generate the pre-signed URLs autonomously by using its own set of AWS credentials (for example the server could be an EC2 instance with an IAM instance profile). In other words, the server does not need to talk with S3 (or other AWS services) to be able to generate a pre-signed URL. For this reason, the URL is validated by AWS at request time (i.e. when a user actually makes an HTTP call with that URL). AWS will consider this request as if it was performed by the entity that generate the pre-signed URL in the first place. So, if the server is not authorized to perform actions on the given bucket, the user will see a permission error when trying to use the generated URL.
Follow these steps to use the Presigned URL Generator:
- Clone the repository:
git clone https://github.com/yourusername/presigned-url-generator.git - Install dependencies:
npm install - Configure AWS credentials: Set up your AWS credentials using the AWS CLI or environment variables.
- Run the generator:
node generate-presigned-url.js
Contributions are welcome! If you have improvements or additional features to suggest, please open an issue or submit a pull request.