Pre-signed URL

A pre-signed URL is a connection URL created by an authorized user so that unauthorized users can access restricted resources without sharing credentials.

An authorized user can generate a pre-signed URL and share it with unauthorized user to grant them access to an object. Pre-signed URLS are useful providing temporary access to protected resources to users without sharing credentials.

Pre-signed URLs have an expiry date. We recommend choosing an expiry date that is short enough to maintain security but long enough for users to retrieve the object from the pre-signed URL. Once a pre-signed URL is created, you cannot change its expiration time and permissions.

A pre-signed URL for DigitalOcean Spaces has GET parameters embedded for headers that begin with X-Amz-. These headers define parameters for the URL, like its credentials and expiration date.

When generating a pre-signed URL, you can set the following parameters:

• Bucket – bucket containing or will be containing the object
• Key – object’s name
• Expires – amount of time the URL is valid

To create a pre-signed URL for DigitalOcean Spaces using s3cmd you can use a command like the following. Substitute in the variables for your bucket.

aws s3 presign s3://your-space-name/your-object-key --expires-in 3600 --endpoint-url https://nyc3.digitaloceanspaces.com

You can add query parameters by specifying your pre-signed URL more specifically during or after it is created to control which resources are accessed. For example, when generating your pre-signed URL using AWS CLI, you can use the --response-content-type parameter to specify the Content-Type header for the response like this:

aws s3 presign s3://your-bucket-name/your-object-key --response-content-type text/plain

However, s3cmd doesn’t support specifying response headers like Content-Type when generating pre-signed URLs, and the AWS CLI doesn’t support specifying the endpoint URL in the presign command. You can generate a pre-signed URL with specific parameters using the DigitalOcean Spaces API and an s3-compatible client library such as Boto3 for Python.

import boto3
from botocore.client import Config

# Initialize a session using DigitalOcean Spaces
session = boto3.session.Session()
client = session.client('s3',
                        region_name='nyc3',
                        endpoint_url='https://nyc3.digitaloceanspaces.com',
                        aws_access_key_id='YOUR_ACCESS_KEY',
                        aws_secret_access_key='YOUR_SECRET_KEY')

# Generate pre-signed URL with query parameters
url = client.generate_presigned_url(ClientMethod='get_object',
                                    Params={
                                        'Bucket': 'your-space-name',
                                        'Key': 'your-object-key',
                                        'ResponseContentType': 'text/plain',
                                        # You can add more parameters if needed, such as 'ResponseContentDisposition': 'attachment; filename=filename.txt'
                                    },
                                    ExpiresIn=3600)

To add query parameters to an existing pre-signed URL, you can use & to specify the queries at the end of the URL. For example, to serve your resource as text/plain, you can append &response-content-type=text/plain to the end of the pre-signed URL.