Amazon S3 secure URL at the bucket level

Question

I want to be able to serve URLs to client that are "signed" and so, are only relevant to 24 hours (for example). However, I don't want to call S3 for every URL generated:

AWS::S3::S3Object.new(bucket, name).url_for(:read, :secure => true, :expires => expires_in).to_s

Instead, I want to generate the URL by myself (I have the file name and the bucket link, I can build it myself).

However, I want to sign the url at the bucket level (say, once a day for all the files in a given bucket). is this possible?

Answer 1

Sorry I do not have ruby code for this only Java...

But you will not be able to get a presigned url for the whole bucket, only each file.

Here is the function I created. This will print everything for you. Does the process make sense?

private static URI GetURL(AmazonS3Client amazonS3Client, S3ObjectSummary s3ObjectSummary) throws URISyntaxException {
    return amazonS3Client.generatePresignedUrl(
            new GeneratePresignedUrlRequest(s3ObjectSummary.getBucketName(), s3ObjectSummary.getKey())
            .withMethod(HttpMethod.GET)
            .withExpiration(GetExperation())).toURI();
}

public static void run(String accessKey, String secretKey, String bucketName) {

    AmazonS3Client amazonS3Client = new AmazonS3Client(new BasicAWSCredentials(accessKey, secretKey));
    amazonS3Client.listObjects(bucketName)
            .getObjectSummaries()
            .stream()
            .forEach(s3ObjectSummary
                    -> System.out.println(GetURL(amazonS3Client, s3ObjectSummary).toString()));
}

Answer 2

When you create a pre-signed URL, that is done completely locally. You could do it "by yourself", but it is much easier to use the SDK, and there would be no practical diferences. See that there is no "sign" action on the S3 API.

However, you can not sign at the "bucket level", as signature is checked per-object. I believe signing a whole bucket would not be feasible.