Parse a Pre-signed S3 URL (Signature V4)

Pre-signed URLs with Signature V4

Pre-signed URLs provide temporary, scoped access to S3 objects without requiring AWS credentials in the client. Signature Version 4 (SigV4) is the current signing standard used by AWS.

Example URL

https://my-bucket.s3.us-west-2.amazonaws.com/reports/annual-2024.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20240115%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240115T120000Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=abcdef1234567890

Parsed Components

Base URL:

Component	Value
Bucket	my-bucket
Key	reports/annual-2024.pdf
Region	us-west-2
Style	Virtual-Hosted

Signing Parameters:

Parameter	Value	Purpose
X-Amz-Algorithm	AWS4-HMAC-SHA256	Signing algorithm
X-Amz-Credential	AKIAI.../20240115/us-west-2/s3/aws4_request	Access key + credential scope
X-Amz-Date	20240115T120000Z	Request timestamp (ISO 8601)
X-Amz-Expires	3600	Validity duration in seconds (1 hour)
X-Amz-SignedHeaders	host	Headers included in signature
X-Amz-Signature	abcdef....	The computed HMAC-SHA256 signature

Credential Scope Breakdown

The credential value AKIAIOSFODNN7EXAMPLE/20240115/us-west-2/s3/aws4_request contains:

1. Access Key ID: AKIAIOSFODNN7EXAMPLE
2. Date: 20240115 (YYYYMMDD)
3. Region: us-west-2
4. Service: s3
5. Request type: aws4_request (always this literal string)

Expiration

The URL is valid from X-Amz-Date for X-Amz-Expires seconds. After expiration, S3 returns a 403 Access Denied response. The maximum expiration is 7 days (604800 seconds) when using IAM user credentials, or limited to the session duration for temporary credentials.