What Are Presigned URLs and When Do You Use Them?

Definition
A presigned URL grants temporary access to a private object without sharing credentials. The URL contains a cryptographic signature that authorizes a specific operation (GET, PUT) on a specific object for a limited time.
The Problem Presigned URLs Solve
Private objects in cloud storage require authentication. Without presigning, clients need your credentials to access objects. Sharing credentials is dangerous: they access everything, forever. Proxying through your server works but consumes your bandwidth and adds latency.
Presigned URLs provide a middle path. Your server generates a URL with embedded authorization. The client uses that URL directly against storage, never touching your server. Authorization is scoped to one object, one operation, limited time. If leaked, damage is bounded.
How Signatures Work
The URL includes query parameters: access key ID, expiration timestamp, signature, and signed headers. The signature is a cryptographic hash (HMAC SHA256) computed over the HTTP method, path, query parameters, headers, and expiration using your secret key.
The storage server recomputes the signature using its copy of your secret key. If signatures match, the request is authorized. If any signed element changed (different path, expired, modified headers), signatures differ and the request is rejected. The math prevents URL modification without the secret key.
Upload vs Download URLs
Download (GET): Anyone with the URL can read the object until expiration. Use for serving private content to authenticated users: profile images, purchased content, temporary file sharing.
Upload (PUT): Anyone with the URL can write to that specific key until expiration. Use for client side uploads without proxying: file uploads, media ingestion, user content. The client PUTs directly to storage.
You can constrain PUT URLs further: require specific content type, limit content length, require specific metadata. These constraints become part of the signature.
💡 Key Insight: Presigned URLs shift traffic from your servers to the storage provider. A 1GB file download costs you zero bandwidth. The client downloads directly. You only generate a tiny URL.

💡 Key Takeaways

✓Presigned URLs embed cryptographic signature authorizing specific operation on specific object with expiration

✓Solves credential sharing problem: grant access without exposing secret keys or proxying data

✓Signature computed via HMAC SHA256 over method, path, headers, expiration using secret key

✓GET URLs enable downloads, PUT URLs enable uploads; both can include content type and size constraints

✓Traffic offload: client transfers directly with storage, your server only generates small URL

📌 Interview Tips

1Start with the bandwidth savings. A video platform serving 1TB/day through your servers costs $90/day in bandwidth. Presigned URLs offload this to storage at $9/day. 10x cost reduction.

2Explain the security model. The signature covers the entire request. Changing any signed element (path, expiration, headers) invalidates the signature. The URL cannot be modified to access different objects.

3Walk through the flow: user requests download, server validates permissions, generates presigned URL for their content, returns URL, client downloads directly from storage. Server handles kilobytes, client handles gigabytes.

← Back to Presigned URLs & Access Control Overview