Skip to content

Commit

Permalink
docs(s3-request-presigner): add in getSignedUrl example with and with…
Browse files Browse the repository at this point in the history
…out signed headers (#6129)
  • Loading branch information
whutchinson98 authored Jun 17, 2024
1 parent a2f25e3 commit 1bf87e3
Showing 1 changed file with 49 additions and 0 deletions.
49 changes: 49 additions & 0 deletions packages/s3-request-presigner/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,4 +91,53 @@ to `presigned` is not sufficient to make a request. You need to send the
server-side encryption headers along with the url. These headers remain in the
`presigned.headers`

### Get Presigned URL with headers that cannot be signed

By using the `getSignedUrl` with a `S3Client` you are able to sign your
headers, improving the security of presigned url. Importantly, if you want to
sign any `x-amz-*` headers (like the ChecksumSHA256 header in this example),
you need to provide those headers to the set of `unhoistableHeaders` in the
`getSignedUrl` params which will force those headers to be present in the
upload request.

```javascript
import { PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";

const s3Client = new S3Client({ region: "us-east-1" });
const command = new PutObjectCommand({
Bucket: bucket,
Key: key,
ChecksumSHA256: sha,
});

const presigned = getSignedUrl(s3Client, command, {
expiresIn: expiration,
// Set of all x-amz-* headers you wish to have signed
unhoistableHeaders: new Set(["x-amz-checksum-sha256"]),
});
```

### Get Presigned URL with headers that should be signed

For headers that are not `x-amz-*` you are able to add them to the set of
`signableHeaders` to be enforced in the presigned urls request.

```javascript
import { PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";

const s3Client = new S3Client({ region: "us-east-1" });
const command = new PutObjectCommand({
Bucket: bucket,
Key: key,
ContentType: contentType,
});

const presigned = getSignedUrl(s3Client, command, {
signableHeaders: new Set(["content-type"]),
expiresIn: expiration,
});
```

For more information, please go to [S3 SSE reference](https://docs.aws.amazon.com/AmazonS3/latest/dev/KMSUsingRESTAPI.html)

0 comments on commit 1bf87e3

Please sign in to comment.