Presigned URLs¶

Presigned URLs are time-limited URLs that grant temporary access to private objects without requiring the requester to hold credentials. MSC can generate presigned URLs using the same credentials it already manages for storage operations.

Usage¶

The simplest way to generate a presigned URL is via the msc.generate_presigned_url() shortcut:

import multistorageclient as msc

url = msc.generate_presigned_url("msc://my-s3-profile/datasets/model.bin")
# => https://my-bucket.s3.us-east-1.amazonaws.com/datasets/model.bin?X-Amz-Algorithm=...

You can also call generate_presigned_url directly on a StorageClient:

from multistorageclient import StorageClient, StorageClientConfig

client = StorageClient(StorageClientConfig.from_file("my-s3-profile"))
url = client.generate_presigned_url("datasets/model.bin")

To generate a URL that allows the recipient to upload an object, pass method="PUT":

url = msc.generate_presigned_url("msc://my-s3-profile/uploads/data.tar", method="PUT")

Signer Types¶

The signer_type parameter selects which signing backend to use. When omitted (or None), the storage provider’s native signer is used.

`SignerType`	Description	Requires
`SignerType.S3` (default for S3 providers)	Uses the boto3 S3 client’s native `generate_presigned_url`.	`boto3`
`SignerType.CLOUDFRONT`	Generates CloudFront signed URLs using an RSA key pair.	`boto3`, `cryptography`

S3 Native Signing¶

When using an S3 storage provider, presigned URLs are generated via the S3 SDK by default. No extra signer_type is needed:

url = client.generate_presigned_url("datasets/model.bin")

You can pass expires_in (seconds) via signer_options:

url = client.generate_presigned_url(
    "datasets/model.bin",
    signer_options={"expires_in": 900},  # 15 minutes
)

CloudFront Signing¶

For CloudFront signed URLs (e.g. wildcard-signed URLs for Zarr datasets), pass signer_type=SignerType.CLOUDFRONT with the required options:

from multistorageclient import SignerType

url = client.generate_presigned_url(
    "results/experiment.zarr/*",
    signer_type=SignerType.CLOUDFRONT,
    signer_options={
        "key_pair_id": "K2JCJMDEHXQW5F",
        "private_key_path": "/secrets/cloudfront.pem",
        "domain": "d111111abcdef8.cloudfront.net",
        "expires_in": 7200,
    },
)

Credential Lifetime and URL Expiration¶

When the underlying credentials are temporary (STS, IAM roles, EC2 instance profiles), the effective URL lifetime is the shorter of expires_in and the remaining credential lifetime. For example, if the session token expires in 10 minutes but expires_in is set to 3600 (1 hour), the URL will stop working after 10 minutes when the token expires. The S3 SDK will not warn if the credential expires before expires_in.

For more details, see the AWS presigned URL documentation.

Supported Providers¶

Presigned URL generation is currently supported for:

S3 and S3-compatible providers (S3, S8K, GCS via S3, AIStore via S3)

Other providers (Azure, GCS native, OCI, POSIX) will raise NotImplementedError. Support for additional providers can be added by implementing a URLSigner subclass in the corresponding provider module.