-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support generation of signed URL's for S3 access #462
Comments
Yeah I think this would be a great feature. I'm thinking this would be a new s3 subcommand? I've been working on some internal changes to the s3 command code to make it easier to add subcommands. I've been using this to start to refactor the Not entirely done yet, but here's what I have so far: |
Yes, this I was looking for. Please, allow to specify expiration not only by duration, but also by a specific datetime. Requiring UTC timezone, ISO format, full seconds, the string ending with "Z" seems to me well usable (e.g. "2014-05-30T00:00:00Z"). |
In case, you really need to generate tmpurl from command line, I could recommend my command line tool s3tmpgen Anyway, I would really invite such functionality in AWS CLI, which became valuable tool for my daily work with AWS S3. |
+1 |
+1 I'm looking to use S3 to host code bundles to deployed to Heroku and this would be an awesome feature :) https://blog.heroku.com/archives/2014/5/22/introducing_the_app_json_application_manifest |
+1 |
+1 would be great to have this in AWS CLI |
Just a note for anyone who ends up here, you can do this yourself trivially by reaching down into the |
Thanks for the feedback. I'll take a look at this, I agree that this would be a great feature to add to the AWS CLI. |
Thanks, @johnboxall. Boto is certainly an option, though for folks deploying the cli binary without native Python deployments (think Windows users), going that route is just as much work as pulling down the PowerShell SDK and doing things via the .NET SDK. Would still like to see this native in the CLI. 😁 |
Just for anyone looking to use boto directly for now until this is added to aws-cli I figured I would add a quick sample instruction. I've now went looking for this a couple of times and would rather have it along with this ticket and @johnboxall comment. This may be extremely obvious for some, but not for non-python devs On a box which already has python installed
|
Building on @isleshocky77's example... adding arguments and minor error checking: Script
Example usage and help
|
Hi all Still looking forward to replace this with awscli solution. |
👍 |
+1 for s3 signed url to be part of cli |
👍 |
1 similar comment
+1 |
I think, I understand, why it takes so long time: things must happen in order and good thing is, it looks like being on the roadmap. As AWS CLI is based on Pull request boto/botocore#504 was already merged into branch |
Yep once the clients-only branch gets merged into botocore, we will be able to pick up the generation of signed url's in the CLI. Then, the main amount of work that would have to be done on the CLI side is to create a good API that exposes the feature. |
boto/botocore#291 was already closed on 23 Jun: "The feature is currently available in botocore." |
👍 would be a handy feature indeed |
+1 |
As @kyleknap noted, one of things to do is to design good API for this feature. I see following use cases:
The "tmpGET" is really easy as the only output is url and the only input is bucket/key and expiration The "tmpPOST" is much more complex as one has to define a policy for posting. One question to resolve is, where to put these actions, there seem to be two alternatives:
I will not deal today with the more complex "tmpPOST" and will focus on simpler "tmpGET" Quick solution: add
|
Very nicely put there. Whereas a post is something that would almost certainly be built around some server side handling of the posted data, the get method use cases are usually quite a lot easier. When you say that would cover most use cases, I would strongly agree. |
I meant to add though, I don't think the temp URL should have anything to do with locating the files on s3. If somebody wants to generate entire sets of signed URLs, that's logic the cli doesn't need to do more to wrap. The tmpurl primitive is the minimum viable product in my mind . |
Fixes aws#462 DONE * generate pre-signed URL for uploading/getting s3 objects TODO * high-level APIs * tests * example document
I've implemented(not fully) pre-sgined URL for s3 objects in my local branch. https://github.com/quiver/aws-cli/tree/s3-presigned-url This is a thin-wrapper for One thing I note is that Usageupload objects to S3
get objects from S3
|
The above python generates a url like: 'https://.s3.amazonaws.com/dir/dir/file When I attempt to curl the file, I get SSL certificate problem: Invalid certificate chain eg: 'https://s3-us-west-1.amazonaws.com/bucket/dir/dir/file' Update, using boto3 was able to generate the correctly signed url. |
+1 |
Impressive - in 3 years official CLI tool did not get support for signed url implemented, allthough it exists in boto and s3cmd |
1+ |
+1 |
1 similar comment
+1 |
Any update on this? Surprised this isn't available yet. |
+1 |
I wrote one up as a workaround and works as expected: https://github.com/gdbtek/aws-tools |
Hi everyone, thanks for the feedback. This something that is on our backlog. I don't have exact dates yet, but I'll link to this issue once we have a pull request up. |
Great! Thanx! |
Is it possible to get a presigned url to an entire s3 folder? Including a web interface to navigate through the folder? |
@tommeda Not possible. pre-signed url is always related to single stored object. What you talk about is similar to static web site but to control access to it (if based on AWS S3), one has to write some proxy. Few attempts already exists, none seemed to me (researched about a year ago) easy peasy. |
You could always generate a webpage that provided an interface to and included pre signed urls for each object, and then put the interface into s3 and return a pre signed url to the interface. Not exactly easy peasy, and the interface would like be usage specific |
No description provided.
The text was updated successfully, but these errors were encountered: