I want to create a so-called "pre-signed" URL for uploading a particular object (PUT) to Amazon S3 bucket.
So far so good. I am using the python library boto to create an URL, that contains all necessary stuff (expires, signature and so on). The URL looks like this:
https://<bucketname>.s3.amazonaws.com/<key>?Signature=<sig>&Expires=<expires>&AWSAccessKeyId=<my key id>&x-amz-acl=public-read
Note the last parameter.
This, at least, as I understand, limits whoever uses this URL to uploading an object to a particular key in a particular bucket and also limits the canned ACL that will be set on the object to "public-read".
My last statement is quite incorrect though.
As it turns out, if you are using this URL, you can do the following with the x-amz-acl header (as opposed to the query string parameter with the same name, that you must set for the signature check to succeed):
So it seems, that
x-amz-acl=public-read
in the query string, you can set the x-amz-acl
header to authenticated-read
and instead of a publicly readable object get an object, that can be only read by authenticated users.What is the real relation between the x-amz-acl QS parameter and the header, that goes by the same name? Is there a way to restrict permissions on the object, that is to be uploaded via a PUT
request to a so-called "pre-signed" URL?
As I understand it (and I might be wrong here), the header x-amz-acl
takes priority over the querystring argument--and they do serve the same purpose. The reason that only the querystring parameter is taken into account during the signature check is simply due to the fact that headers are not part of the signature check for the policy.
This page might help you; it helped me a lot when creating forms to upload directly to S3.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With