AWS S3 HeadObject is a simple and efficient way to retrieve metadata about an object in your S3 bucket. You can use it to check if an object exists, without having to download the entire object.
To use HeadObject, you'll need to provide the object key and bucket name. The AWS SDK will then send a HEAD request to S3, which returns the object's metadata, such as the last modified date and size.
This approach is particularly useful when you're working with large objects or want to minimize data transfer costs. By only retrieving the metadata, you can save bandwidth and reduce the load on your network.
In this guide, we'll walk you through the HeadObject workflow and library configuration process, using examples and best practices to help you get started.
Security and Permissions
To use the AWS S3 HeadObject API, you need the right permissions. For general purpose buckets, you must have the s3:GetObject permission, which requires the relevant read object (or version) permission.
The error message Amazon S3 returns when the object you request doesn't exist depends on whether you also have the s3:ListBucket permission. If you do, you'll get an error message indicating that the object doesn't exist. If you don't, you'll get an error message indicating that the bucket doesn't exist.
To grant access to the HeadObject API on a directory bucket, use the CreateSession API operation for session-based authorization. You'll need to grant the s3express:CreateSession permission to the directory bucket in a bucket policy or an IAM identity-based policy.
Here are the required permissions for the HeadObject API on a directory bucket:
- s3express:CreateSession
- kms:GenerateDataKey (if the object is encrypted with AWS KMS)
- kms:Decrypt (if the object is encrypted with AWS KMS)
Permissions
To use the HEAD operation on an S3 bucket, you must have the s3:GetObject permission. This permission allows you to retrieve metadata about the object.
You'll also need the relevant read object permission to access the object. For more information on S3 permissions, check out the Actions, resources, and condition keys for Amazon S3 in the Amazon S3 User Guide.
If the object you request doesn't exist, the error message from Amazon S3 depends on whether you have the s3:ListBucket permission. If you do, you'll get a specific error message.
Here are the relevant S3 permissions for the HEAD operation:
- s3:GetObject permission
- relevant read object (or version) permission
For directory buckets, we recommend using the CreateSession API operation for session-based authorization. This involves granting the s3express:CreateSession permission to the directory bucket in a bucket policy or an IAM identity-based policy.
Encryption
Encryption is a crucial aspect of security in Amazon S3. You should not send encryption request headers, like x-amz-server-side-encryption, for HEAD requests if your object uses server-side encryption with Key Management Service (KMS) keys.
This is because the encryption method can't be changed when you retrieve the object, and including this header will result in an HTTP 400 Bad Request error.
If you encrypt an object using server-side encryption with customer-provided encryption keys (SSE-C), you must use specific headers to provide the encryption key for the server to retrieve the object's metadata.
These headers are x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key, and x-amz-server-side-encryption-customer-key-MD5.
Encryption Options for Directory Buckets
For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS. SSE-C isn't supported.
Response and Examples
When you use the AWS S3 HeadObject operation, you can expect to receive some additional response headers that provide more information about the object you're querying.
The x-amz-meta-* headers return any user metadata you supplied when you put the object in S3, prefixed with x-amz-meta- and the suffix name you provided on storage. For example, if you provided the suffix "family", the header would be x-amz-meta-family.
In addition to the x-amz-meta-* headers, you can also receive an x-amz-missing-meta header, which indicates the number of metadata entries not returned in the x-amz-meta headers. This can happen if you create metadata using an API like SOAP that supports more flexible metadata than the REST API.
Here are some common response headers you might see:
The HeadObject operation can also return the version ID of the object, which is indicated by the x-amz-version-id header.
Response Headers
When you're working with Amazon S3, you'll often come across response headers that provide valuable information about the object you've just retrieved. These headers can give you insight into the object's metadata and version ID.
One type of response header you might see is the x-amz-meta-* header. This header returns any user metadata you supplied when you PUT the object, prefixed with x-amz-meta- and the suffix name you provided on storage.
For example, if you provided metadata with the suffix "family", you might see an x-amz-meta-family header in the response. Amazon S3 returns this metadata verbatim, without interpreting it.
If you've created metadata using an API like SOAP that supports more flexible metadata than the REST API, you might see an x-amz-missing-meta header in the response. This header indicates the number of metadata entries not returned in the x-amz-meta headers.
You might also see an x-amz-version-id header in the response, which returns the version ID of the object.
Here's a breakdown of the common response headers you might see:
Examples
You can retrieve metadata for an object in a bucket named my-bucket with a specific command.
This command can also indicate if the requester was successfully charged for the request, if present.
The retrieved metadata includes VersionId, ContentDisposition, SSECustomerAlgorithm, and StorageClass.
These metadata can be useful for understanding the object's properties and the request's outcome.
The command can be part of a workflow library example, such as S3 Head Object with Aws and Send Results Via Email.
This workflow example shows how to retrieve metadata and send results via email, demonstrating the practical application of the command.
Workflow and Library
A workflow library is a collection of reusable code snippets that can be used to automate tasks. This library can be used to simplify complex workflows and make them more efficient.
For example, the "S3 Head Object with Aws and Send Results Via Email" example shows how a workflow library can be used to perform tasks such as sending results via email. This can be especially useful for automating tasks that require sending notifications or updates to stakeholders.
Workflow Library Example
In a Workflow Library, you can use the S3 Head Object command to check if an object exists in a bucket before taking further action. This is useful for validating if a certain object is present or not.
The Head Object command returns metadata about the object, such as its version ID, content disposition, and storage class. If the object is not found, it returns a 404 status code, indicating that the object is not present in the bucket.
You can use the command to check if a file like index.html exists in a bucket. If the file is present, the command will fetch its metadata; otherwise, it will return "Object not found" with a 404 status code.
For example, if you're working with a bucket named my-bucket, the command retrieves metadata for an object in that bucket, including its version ID, content disposition, and storage class.
Basic Parameters
As you're working on your workflow and library, it's essential to understand the basic parameters that will help you get started. The AWS Region is a crucial parameter that determines where your data will be stored. If no Region is specified, AWS routes the request to us-east-1 by default.
If you're using an access point, you'll need to direct requests to the access point hostname, which takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. Alternatively, you can provide the access point ARN in place of the bucket name.
To filter your results, you can use the If Modified Since parameter, which returns the object only if it has been modified since the specified time, otherwise returns a 304 (not modified). This can be a useful feature if you're working with large datasets and want to ensure you're getting the most up-to-date information.
The Key parameter is another essential parameter that specifies the object key. The Version ID parameter, on the other hand, is used to reference a specific version of the object.
Here's a summary of the basic parameters:
Sources
- https://www.middlewareinventory.com/blog/aws-s3api-examples/
- https://documentation.help/s3-api-20060301/RESTObjectHEAD.html
- https://sdk.amazonaws.com/kotlin/api/latest/s3/aws.sdk.kotlin.services.s3/head-object.html
- https://awscli.amazonaws.com/v2/documentation/api/2.0.33/reference/s3api/head-object.html
- https://docs.blinkops.com/docs/integrations/aws/actions/s3-head-object
Featured Images: pexels.com