Sign me this sir !
Using AWS S3 for different projects (with carrierwave) my low level intellect could not help me to find the method to render a temporary signed url for private object in a bucket. If you have used some services using S3 you probably know what I’m talking about : a frackin’ long url with three vars (AWSAccessKeyId, Expires, Signature) stuck at the end.
The basic idea is that using the Expires time, your secret AWS Access Key, the path of the object you want (including the buckit) and a Sha digest you create a signature that AWS S3 will check to authotify the url. The timeout define, well, the expiration date of the url.
I looked around and found the specific page in Amazon s3 developper guide. So it ends up not too difficult to do by yourself.
Here’s the idea :
- you grab your s3 credentials
- you create a sha digest using the OpenSSL library
- you store the request string that will be made to S3 (name of the action, 3 times ‘\n’, the timeout (seconds since epoch), ‘\n’, the url to request)
- you make a HMAC digest of the digest, the key (s3 secret key), and the previously stored string
- you render the signature using : a base64 encoded string, stripped (no new line), URI escaped, url encoded.
- you create the url that will be usable using the path of the object, and the three vars, you return it.
So, to make this usable we need first a method to properly encode the string. URI.escape doesn’t do the work we want, so we need to create a String method to replace all those strange characters (‘+’, ‘-’, ‘=’, …) by they proper url hex encodings.
Then we go define an Aws module, with a simple method to do the work :
And tada !
Now you just have to call it :
