An S3 request URL can be presigned (appended) with security credentials of the user creating the URL. Users that have S3 access key pairs for VAST Cluster can generate presigned URLs to share temporary access with users who do not otherwise have access. A presigned URL expires at the end of the validity period specified when generating the URL. Objects created using a presigned URL do not expire.
With presigned URLs, authentication credentials of the current user are passed within the URL using query parameters. Including query parameters to authenticate requests is useful when you want to express a request entirely in a URL.
VAST Cluster lets you use presigned URLs to temporarily authorize users to perform the following operations:
Download a object
Upload an object by means of a PUT request
Delete an object
Upload an object by means of a POST request
Using a Presigned URL to Share an Object
The following example uses the AWS S3 CLIs command presign to generate a URL presigned with the credentials of the user that is currently signed in. This URL can be used to download an object via a GET request. The URL is valid for 300 seconds.
$ aws s3 presign s3://test-bucket/test-obj --endpoint-url http://vip1.vastdata.example.com --expires-in 300
Using a Presigned URL for PUT Uploads
To generate a presigned URL that enables a user to upload an object via a PUT request, use an SDK such as the Boto3 client SDK with the generate_presigned_url method where ClientMethod is put_object.
The following example uses the Boto3 client SDK and the Python requests module to create a presigned PUT object URL:
url = s3_boto_connection.client.generate_presigned_url(
'put_object', Params={'Bucket': 'bucket', 'Key': 'obj1'})
res = requests.put(url, data=b'VAST Enough!!!')Using a Presigned URL for Object Deletion
The following example uses the Boto3 client SDK with the generate_presigned_url method where ClientMethod is delete_object to generate a presigned DELETE object URL:
url = s3_boto_connection.client.generate_presigned_url(
'delete_object', Params={'Bucket': 'bucket', 'Key': 'obj1'})
res = requests.delete(url)Using a Presigned URL for POST Uploads
A presigned POST request URL enables a client to make a direct upload to an S3 server using security credentials and other parameters received from a non-S3 server.
The presigned POST process flow is as follows:
A client sends an upload request to a server, such as a web server (but not an S3 server).
The server responds with a presigned URL and POST policy fields for the upload.
The POST policy determines various upload parameters, such as content type, URL valid period, action upon a successful upload, and so on. For a list of supported fields, see POST Policy Conditions.
The client uses the presigned URL and field values to upload the object directly to the S3 server, without additional authentication required.
The presigned POST URL and the parameter fields can be incorporated in a web form from which users make uploads.
To generate a presigned POST request URL, use an SDK such as the Boto3 client SDK with the generate_presigned_post method, for example:
url = s3_boto_connection.client.generate_presigned_post(
Bucket='bucket',
Key='obj1',
Fields={'field1': 'value'},
Conditions=conditions,
ExpiresIn=600)
res = requests.post(url['url'], data=url['fields'], files=files)VAST Cluster supports the following POST policy conditions:
content-length-rangeCache-ControlContent-TypeContent-DispositionContent-EncodingExpiressuccess_action_redirectredirectsuccess_action_statusx-amz-meta-*x-amz-*
Note
A POST policy can be up to 4800 bytes.