6

I have to download a file from my S3 bucket onto my server for some processing. The bucket does not support direct connections and has to use a Pre-Signed URL.

The Boto3 Docs talk about using a presigned URL to upload but do not mention the same for download.

Alok
  • 8,452
  • 13
  • 55
  • 93
Varun Shridhar
  • 143
  • 1
  • 1
  • 8
  • Could you please let me know what could be improved? I went through the link but was unable to figure out what part of my question was not according to the standard. – Varun Shridhar Feb 11 '20 at 08:16

2 Answers2

17
import boto3

s3_client = boto3.client('s3')

BUCKET = 'my-bucket'
OBJECT = 'foo.jpg'

url = s3_client.generate_presigned_url(
    'get_object',
    Params={'Bucket': BUCKET, 'Key': OBJECT},
    ExpiresIn=300)

print(url)

For another example, see: Presigned URLs — Boto 3 documentation

You can also generate a pre-signed URL using the AWS CLI:

aws s3 presign s3://my-bucket/foo.jpg --expires-in 300

See: presign — AWS CLI Command Reference

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 15
    This answer shows how to generate a pre-signed url but not how to download the file. – David Medinets Aug 21 '20 at 17:58
  • 1
    @DavidMedinets The pre-signed url can be downloaded as any regular file. – Ariel M. Jan 08 '21 at 16:58
  • 1
    @ArielM. - doesn't work for me.. I get an access denied when trying to open the presigned url on my browser – Siddhant Sadangi Jan 18 '22 at 08:24
  • @SiddhantSadangi The pre-signed URL uses permissions from the credentials that were used to create the pre-signed URL. So, receiving `Access Denied` suggests that the credentials used do _not_ have permission to access the object. You can test this by trying to access the object by using the AWS CLI with the same credentials (eg `aws s3 cp s3://bucketname/object.name .`). – John Rotenstein Jan 18 '22 at 11:44
  • @ArielM. I also get the "unauthorized" error, unless I make the bucket public, which doesn't make sense... Could you help with that maybe? THX! – – ephraim Nov 14 '22 at 16:45
  • @ephraim It should work as long as the expiry period has not passed and the credentials used to generate the pre-signed URL have permissions to access the object. What happens if you use the same credentials to download the object from the bucket, as shown in the previous comment? – John Rotenstein Nov 14 '22 at 21:18
  • @JohnRotenstein Thanks! I get an "access denied" error code, which I believe points out on the "credentials" not good. Any clue how I can *enable* my lambda funciton to have these credentials? THX – ephraim Nov 15 '22 at 08:10
  • 1
    @ephraim You mention an AWS Lambda function, so it sounds like your code that generates the pre-signed URL is running in this function. There should be an IAM Role attached to the Lambda function. That IAM Role requires permission to access the object in S3. – John Rotenstein Nov 15 '22 at 11:14
  • @JohnRotenstein Your right. I finally managed to Add a permission type, which enables S3 REad file, and then add this permission to my lambda. THX for directing me. – ephraim Nov 15 '22 at 12:40
0

Just to add to John's answer above, and save time to anyone poking around, the documentation does mention how to download as well as upload using the presigned URL as well:

How to download a file:

import requests    # To install: pip install requests

url = create_presigned_url('BUCKET_NAME', 'OBJECT_NAME')
if url is not None:
    response = requests.get(url)

Python Presigned URLs documentation: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html

Jain
  • 149
  • 1
  • 2
  • 9