Self-destructing Download Links for Amazon S3 Files

Apr 12, 2014

If you store files on S3, sharing them with someone who doesn't have access can be a little painful. One way to do it is temporarily make the file public, but then you need to remember to make it private after the other person has downloaded it.

The AWS docs explain a way to pre-sign a link that will be usable only for a short time, and only for the specific file. This is a pretty cool mechanism. It's almost like a "this message will self-destruct in 10 seconds". Here's a quote from the AWS docs about the idea:

All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials, to grant time-limited permission to download the objects.

I recently wrote a little command line tool to make generating these links as easy as possible. The name is suuuper creative: s3url. You can find it on Github.

Using s3url

First, you need your AWS credentials, the access key ID and the secret access key. I place these in my .profile and export them:

export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Then, I upload the file I want to share, using the AWS S3 command line interface:

$ aws s3 cp path/to/file.txt s3://my-bucket/file.txt
upload: path/to/file.txt to s3://my-bucket/file.txt

The destination of that cp command can be given to s3url, and it will generate a signed URL for that object:

$ s3url s3://my-bucket/file.txt
https://my-bucket.s3.amazonaws.com/file.txt?Signature=d3HZ5yFfR6a%2FXfSHdZ%2B%2FI6kWENU%3D&Expires=1397391353&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE

By default, the URL will last for 24 hours. If you want to change the expiration time, add an -e argument:

$ s3url -e 15m s3://my-bucket/file.txt
https://my-bucket.s3.amazonaws.com/file.txt?Signature=gatuFFnQhXO2%2BUE8GZvGzFmU%2BOU%3D&Expires=1397306075&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE

It's available on PyPI, so installing it's as easy as:

$ pip install s3url

Check out the README for more details.

comments powered by Disqus