SystemOverflow
LearnObject Storage & Blob StoragePresigned URLs & Access Control5 of 6
Object Storage & Blob StoragePresigned URLs & Access ControlHard⏱️ ~3 min

Implementation Patterns: Control Plane, Data Plane, and Post Upload Validation

API Gateway Pattern

The most common pattern places URL generation behind an API gateway. Client authenticates to your API, requests a presigned URL, receives the URL for direct storage access. This centralizes authorization logic while offloading bandwidth to storage. Implementation requires: authentication middleware validating client identity, authorization logic determining access rights, URL generation with appropriate scope, and logging for audit. The API should be stateless to scale horizontally. URL generation takes 1-5ms with no storage I/O, so a single server handles 10,000+ URLs per second.

Edge Function Pattern

For latency sensitive applications, generate URLs at edge locations. A request to CDN edge triggers a serverless function that generates the presigned URL. This reduces round trip from 100-200ms to origin down to 10-30ms at edge. Challenge: edge functions need signing credentials. Options include replicating credentials to edge locations which increases attack surface, having edge call origin for signature only, or using pre-generated URL pools at edge with short expiration for predictable content.

💡 Key Insight: Edge URL generation trades security (credentials at edge) for latency. Evaluate based on content sensitivity and latency requirements for your use case.

Batch Generation Pattern

When clients need multiple URLs like a thumbnail gallery, generate in batch rather than individually. A page with 50 images should not require 50 API calls. Batch endpoint accepts list of object keys, validates authorization for all, returns all URLs in single response. Limit batch size to 100-500 URLs with rate limiting. A request for thousands of URLs could be reconnaissance probing for valid object keys.

Upload Workflow Pattern

Uploads require more than just a presigned URL. Full workflow: client requests upload URL with file metadata including name, size, and type. Server validates metadata and generates URL with content type and length conditions. Client uploads directly to storage. Storage notifies server of completion via event or webhook. Server verifies upload exists with correct size and updates database. Verification is critical. Without it, clients could claim upload complete without actually uploading or upload different content than declared.

💡 Key Takeaways
API gateway pattern: authenticate at your API, generate scoped URL, client accesses storage directly - scales to 10,000+ URLs per second
Edge function pattern: generate at CDN edge for 10-30ms latency vs 100-200ms to origin, but requires credentials at edge
Batch generation: fetch up to 100-500 URLs in single request for galleries, with rate limits to prevent reconnaissance attacks
Upload workflow: presigned URL plus server side verification that object exists with correct size after upload completes
📌 Interview Tips
1Describe complete upload workflow including metadata validation, URL generation with conditions, and post upload verification
2When discussing latency, explain edge vs origin generation tradeoff with specific latency numbers
3For gallery scenarios, explain batch URL generation with appropriate limits to prevent abuse
← Back to Presigned URLs & Access Control Overview