Home > Software engineering >  AWS s3 - difference between "Download" and "Object URL"
AWS s3 - difference between "Download" and "Object URL"

Time:10-19

Read as I might, I can't find the answer. I have set up a bucket and user with GetObject permission. In the AWS console, I can use the download and open links (green arrows below) successfully, which seems to indicate the permissions are set right. However, when clicking on the Object URL link (red arrow below), I get an Access Denied XML error.

What is the purpose of the Object URL? What is the difference between it and the download/open buttons? Also, why is the owner field blank? I left the config to default which "should" have the uploader as the owner, no?

Problem

CodePudding user response:

By default all buckets and objects are private and not accessible from the internet. To make your private objects accessible from the internet without the need for IAM credentials, you have to create S3 pre-signed url. And this is exactly what open/download links do - they generate S3 pre-signed url for you to use. So when you click them, AWS will generate the S3 pre-signed urls and a browser will request the object using the url.

Clicking Object URL does not work, because when browser makes request to AWS for that object, it does not sign the request using IAM credentials. The Object URL would only work if the bucket or the object allowed for anonymous access. In that case, no IAM credentials are required. This is mostly useful for serving static webpages from S3.

CodePudding user response:

Simply put, Object URL is an external link which checks for public permissions for access.

Download and Open uses your currently signed-in user permissions to verify whether you should have access to them, which is why they work for you.

The owner field may be blank because it was uploaded by a public/anonymous user that doesn't have an IAM User in your system.

By default, an Amazon S3 object is owned by the identity that uploaded the object. This means that if you allow public write access to your bucket, the objects uploaded by public (anonymous) users are publicly owned.

https://aws.amazon.com/premiumsupport/knowledge-center/s3-object-change-anonymous-ownership/

  • Related