github.com/aavshr/aws-sdk-go@v1.41.3/example/service/s3/presignURL/README.md

# Presigned Amazon S3 API Operation Example

This example demonstrates how you can build a client application to retrieve and
upload object data from Amazon S3 without needing to know anything about Amazon
S3 or have access to any AWS credentials. Only the service would have knowledge
of how and where the objects are stored in Amazon S3.

The example is split into two parts `server.go` and `client.go`. These two parts
simulate the client/server architecture. In this example the client will represent
a third part user that will request resource URLs from the service. The service
will generate presigned S3 URLs which the client can use to download and
upload S3 object content.

The service supports generating presigned URLs for two S3 APIs; `GetObject` and
`PutObject`. The client will request a presigned URL from the service with an
object Key. In this example the value is the S3 object's `key`. Alternatively,
you could use your own pattern with no visible relation to the S3 object's key.
The server would then perform a cross reference with client provided value to
one that maps to the S3 object's key.

Before using the client to upload and download S3 objects you'll need to start the
service. The service will use the SDK's default credential chain to source your
AWS credentials. See the [`Configuring Credentials`](http://docs.aws.amazon.com/sdk-for-go/api/)
section of the SDK's API Reference guide on how the SDK loads your AWS credentials.

The server requires the S3 `-b bucket` the presigned URLs will be generated for. A
`-r region` is only needed if the bucket is in AWS China or AWS Gov Cloud. For
buckets in AWS the server will use the [`s3manager.GetBucketRegion`](http://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#GetBucketRegion) utility to lookup the bucket's region.

You should run the service in the background or in a separate terminal tab before
moving onto the client.


```sh
go run -tags example server/server.go -b mybucket
> Starting Server On: 127.0.0.1:8080
```

Use the `--help` flag to see a list of additional configuration flags, and their
defaults.

## Downloading an Amazon S3 Object

Use the client application to request a presigned URL from the server and use
that presigned URL to download the object from S3. Calling the client with the
`-get key` flag will do this. An optional `-f filename` flag can be provided as
well to write the object to. If no flag is provided the object will be written
to `stdout`

```sh
go run -tags example client/client.go -get "my-object/key" -f outputfilename
```

Use the `--help` flag to see a list of additional configuration flags, and their
defaults.

The following curl request demonstrates the request the client makes to the server
for the presigned URL for the `my-object/key` S3 object. The `method` query
parameter lets the server know that we are requesting the `GetObject`'s presigned
URL. The `method` value can be `GET` or `PUT` for the `GetObject` or `PutObject` APIs.

```sh
curl -v "http://127.0.0.1:8080/presign/my-object/key?method=GET"
```

The server will respond with a JSON value. The value contains three pieces of
information that the client will need to correctly make the request. First is
the presigned URL. This is the URL the client will make the request to. Second
is the HTTP method the request should be sent as. This is included to simplify
the client's request building. Finally the response will include a list of
additional headers that the client should include that the presigned request
was signed with.

```json
{
	"URL": "https://mybucket.s3-us-west-2.amazonaws.com/my-object/key?<signature>",
	"Method": "GET",
	"Header": {
		"x-amz-content-sha256":["UNSIGNED-PAYLOAD"]
	}
}
```

With this URL our client will build a HTTP request for the S3 object's data. The
`client.go` will then write the object's data to the `filename` if one is provided,
or to `stdout` of a filename is not set in the command line arguments.

## Uploading a File to Amazon S3

Just like the download, uploading a file to S3 will use a presigned URL requested
from the server. The resigned URL will be built into an HTTP request using the
URL, Method, and Headers. The `-put key` flag will upload the content of `-f filename`
or stdin if no filename is provided to S3 using a presigned URL provided by the
service

```sh
go run -tags example client/client.go -put "my-object/key" -f filename
```

Like the download case this will make a HTTP request to the server for the
presigned URL. The Server will respond with a presigned URL for S3's `PutObject`
API operation. In addition the `method` query parameter the client will also
include a `contentLength` this value instructs the server to generate the presigned
PutObject request with a `Content-Length` header value included in the signature.
This is done so the content that is uploaded by the client can only be the size
the presigned request was generated for.

```sh
curl -v "http://127.0.0.1:8080/presign/my-object/key?method=PUT&contentLength=1024"
```

## Expanding the Example

This example provides a spring board you can use to vend presigned URLs to your
clients instead of streaming the object's content through your service. This
client and server example can be expanded and customized. Adding new functionality
such as additional constraints the server puts on the presigned URLs like
`Content-Type`.

In addition to adding constraints to the presigned URLs the service could be
updated to obfuscate S3 object's key. Instead of the client knowing the object's
key, a lookup system could be used instead. This could be substitution based,
or lookup into an external data store such as DynamoDB.