Grant Pre-signed style url access to whole directory
It is possible now to use Custom Policy and create a token that will grant access to * instead of single S3 object. But obviously you need to keep changing file names in individual URLs, keeping token same for all.
This is assuming you are using CloudFront in front of S3 for distribution.
A Pre-Signed URL permits access to private objects stored on Amazon S3. It is a means of keeping objects secure, yet grant temporary access to a specific object.
It is created via a hash calculation based on the object path, expiry time and a shared Secret Access Key belonging to an account that has permission to access the Amazon S3 object. As such, each pre-signed URL is unique to each object and cannot act as a wildcard for an entire directory.
Some alternatives:
- Grant public access to all objects in the subdirectory via a Bucket Policy. This means that the objects are no longer private, but it is the easiest way to "publish" a bucket or directory or objects.
- Access via the API rather than plan URLS, which includes the passing of credentials that can be linked to a User created in Identity and Access Management (IAM). This would involve using a tool such as the AWS Command Line Interface (CLI) to retrieve the objects rather than a web browser and has the benefit that it can copy multiple objects at the same time (just like a normal
cp
command).
See also: AWS CLI copy command
As of March 2015, you can now use signed cookies to grant access to an entire directory.
CloudFront signed cookies allow you to control who can access your content when you don't want to change your current URLs or when you want to provide access to multiple restricted files