I'm hosting files on Amazon S3 that I want to make accessible using pre-signed urls.
For simple GET requests this works perfectly. There are some clients however that perform a HEAD request first (to retrieve the file size). Since the signature in the URL includes the http verb (GET vs HEAD), the head request fails.
The client simply does:
HEAD http://(bucketname).s3.amazonaws.com/filename?AWSAccessKeyId=(mykey)&Expires=(timestamp)&Signature=(sig)
GET http://(bucketname).s3.amazonaws.com/filename?AWSAccessKeyId=(mykey)&Expires=(timestamp)&Signature=(sig)
I cannot change the clients to use a different url for head and get. Is there a way to make amazon use a signature that accepts both HEAD and GET for the same resource?
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the name of the bucket that contains the object that you want a presigned URL for. In the Objects list, select the object that you want to create a presigned URL for.
A pre-signed URL allows you to grant temporary access to users who don't have permission to directly run AWS operations in your account. A pre-signed URL is signed with your credentials and can be used by any user.
Pre-signed URLs can be generated for an S3 object, allowing anyone who has the URL to retrieve the S3 object with an HTTP request. Not only is this more secure due to the custom nature of the URL, but the available options also allow you to set an expiration on the URL, the default being one hour.
Using presigned URLs to perform other S3 operations The main purpose of presigned URLs is to grant a user temporary access to an S3 object. However, presigned URLs can be used to grant permission to perform additional operations on S3 buckets and objects.
You can also simulate the HEAD
behavior with GET
if you specify Range
header for first byte only. The difference will be that you receive 206
instead of 200
code. Secondly full size will be in Content-Range
header.
curl -r 0-0 <URL>
No. The HEAD
and the GET
need different signatures as there are subtle differences in the signature inputs.
Not sure what you're using to generate the pre-signed authentication URLs, but I know that some of the official AWS SDKs handle this, while others don't yet.
with the help of a friend, I found a solution that works for me: proxy the HEAD request on my server, and redirect for the GET request.
When a request comes in with a HEAD verb to get the file info, I use my S3 code on my server to get the HEAD info and then I sent it back to the requestor myself.
When a request comes in with a GET verb to get the file itself, I do a 302 redirect with a pre-signed URL.
this works perfectly to handle both HEAD and GET by not needing to pre-sign both. I only pre-sign the GET request for the actual file.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With