I’m a little confused at how pre-signed URLs would work within an app. If I have a large number of files that I want served with pre-signed URLs, would I need to code my app to regenerate and expose the new URL each time the URL expires? Or would this work where when a user requests access to the file, the app would generate the pre-signed URL if one doesn’t already exist (assuming the user should have access to this file)? Or am I missing something here?
Your app would dynamically create the URLs for your users and set the expiration time. They user could refresh or navigated back to the page to get freshly generated URLs.
Sid is correct.
You might want to play around with the AWS CLI command aws s3 presign command (see https://docs.aws.amazon.com/cli/latest/reference/s3/presign.html).
The output from this command is a URL which can be used to download a file from S3 for a specific period of time. Use the equivalent API call in a Java JSP, PHP to produce HTML something like:
A practical example of where I used this was designing an enterprise bill presentment and payment (EBPP) site. Think of viewing and paying your utility payment online. The application lists amounts due, but at the time it builds the page for the customer, it hits AWS S3 and generates presigned URLs for the customer to download bills. In this way I can store somewhat confidential data in S3, permit an authenticated (to my application) user to access, and keep away trolls.
If you want to see more info in about this architecture, I described it in this presentation:
and a working demo is here:
(note: if you’re viewing this after I’ve taken down the live link, reply here and if i get pinged i’ll turn it back on)