Pre-signed URL for Digital Ocean spaces

Standard
Spread the love

Spaces a new storage offering from Digital Ocean, is definitely cost effective and offers rich API. If you are an existing AWS S3 user, the good news is that Spaces is fully compatible with AWS S3 SDK. You can leverage most of the S3 functionality in Spaces. Digital ocean is also focused on increasing the number of regions to support Spaces. As of writing this article, there are 5 regions available.

Spaces Welcome screen
Spaces welcome screen

Since spaces is used to store files, making sure that only appropriate users have legitimate access is key for your product security. An object stored in spaces is accessible using URL. The objects are usually documents, PDFs, images or media files. Hence the URL for each of this resource should be protected from unauthorized access. In this article, we will explore how to use AWS S3 SDK to generate a pre-signed URL.

Like to see things visually, here is the video version.

Access Key and Secret Key generation

Before we begin with the generation of Pre-signed URL, we must create Access Key and secret key. To do this lets login to Digital ocean control panel

Digital Ocean Control Panel Menu
Digital Ocean Control Panel Menu

Click the API link and you should see a new screen “Applications & API”. Scroll to the bottom of the screen and there is a section titled “Spaces access keys”. If you are visiting this section for the first time, you will have an empty table.

Digital Ocean API key
Digital Ocean API key

Click “Generate New Key” button and you will be prompted for a key name. Enter a name as “MySpacesKey” and save it. This should instantly generate an Access key and secret key. Make sure that you save these values at a secured location. The secret key won’t be available afterward.

Java Project (AWS SDK dependency)

To generate a pre-signed URL, we will create a standalone Java Project. Note that the API can be leveraged in any type of project (web application, standalone, batch, etc). Make sure that you add the following dependencies to your project.


<dependency>
	<groupid>com.amazonaws</groupid>
	<artifactid>aws-java-sdk</artifactid>
	<version>1.11.433</version>
</dependency>

Note that it is always advisable to configure the latest AWS SDK version in your project. This will ensure any security patches are available along with the latest product features.

Standalone application – Pre-signed URL

Create a Java Class with the main method in it. We will instantiate AWS S3 client to initiate appropriate API calls.


AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
	.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration("https://sgp1.digitaloceanspaces.com", "sgp1"))
	.withCredentials(new AWSStaticCredentialsProvider(
	new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY"))).build();

The trick behind using AWS SDK for Digital Ocean is to change the API Endpoint URL. The second argument requires AWS region name.

Next set the expiration time for the URL. The time can be constructed using java.util.Date


java.util.Date expiration = new java.util.Date();
long expTimeMillis = expiration.getTime();
expTimeMillis += 1000 * 60 * 30;
expiration.setTime(expTimeMillis);

The final step is to generate the Presigned URL request and invoke the S3 API


GeneratePresignedUrlRequest generatePresignedUrlRequest = new GeneratePresignedUrlRequest("BUCKET_NAME",
    "RELATIVE_PATH_OF_THE_FILE").withMethod(HttpMethod.GET)
    .withExpiration(expiration);
URL url = s3Client.generatePresignedUrl(generatePresignedUrlRequest);

The request requires two arguments, Name of the bucket and relative path of the file. Make sure that relative path includes parent folder and the file name itself. For e.g. if you have stored “background.jpg” inside “assets/images/” then the relative path should be “assets/images/background.jpg”.

You should now be able to access the protected file for the expiration duration. After the duration expires, if you use the same URL you should get access denied error.

Leave a Reply

Your email address will not be published. Required fields are marked *