Last Updated: January 24, 2018
· mcansky

Signing Amazon S3 URLs

Using the aws gem ( you can easily handle put and get actions in a bucket but if you've set your bucket rights to private you will need a bit more code to provide signed and time limited urls.

AWS S3 has some documentation on the topic : and it's quite easy to follow and get it working. Still the example is not Ruby code, so here is a ready to use one.

A signed S3 url is composed of the classic get url where you add your AWS Access key id, an expire date (in Unix format) and a signature. The first two are easy, the signature is where the fun is.

The signature is basically a base64 encoded string made from an OpenSSL HMAC digest.

You need two things as initial parameters :

  • expire date : a Unix time in the future
  • path : the path of the file in the S3 bucket (that's right this doesn't include the bucket name)

You need to create a new SHA1 digest using the OpenSSL lib :

digest ='sha1')

You then create the a string corresponding to the http request you want to make :

can_string = "GET\n\n\n#{expire_date}\n/#{S3_BUCKET}/#{path}"

You can do the final digest using that string, the previous request and the S3 key :

hmac = OpenSSL::HMAC.digest(digest, S3_SECRET_ACCESS_KEY, can_string)

The signature is made from that digest using the Base64 encoder :

signature = URI.escape(Base64.encode64(hmac).strip).encode_signs

You then just have to add up all of these to get the signed url :


All the code :

The Base64.encode64 and URI.escape methods don't always encode some characters like "+", "?" etc ... You need to do it yourself. If you check the gist linked above you will find the String::encode_signs that encode those characters properly.

Say Thanks

5 Responses
Add your response



over 1 year ago ·

Hi I wrote one up for bash shell:

over 1 year ago ·

You don't need the CONTENT-MD5 or CONTENT-TYPE in the signature?

over 1 year ago ·

nevermind, didn't read far enough in the doc

over 1 year ago ·

what about specifying a region ?

over 1 year ago ·