Description Requests Examples Related Resources

POST Object

Description

The POST operation adds an object to a specified bucket by using HTML forms. POST is an alternate form of PUT that enables browser-based uploads as a way of putting objects in buckets. Parameters that are passed to PUT through HTTP headers are instead passed as form fields to POST in the multipart/form-data encoded message body. To add an object to a bucket, you must have WRITE access on the bucket. Amazon S3 never stores partial objects. If you receive a successful response, you can be confident that the entire object was stored.

Amazon S3 is a distributed system. Unless you've enabled versioning for a bucket, if Amazon S3 receives multiple write requests for the same object simultaneously, only the last version of the object written is stored.

To ensure that data is not corrupted while traversing the network, use the Content-MD5 form field. When you use this form field, Amazon S3 checks the object against the provided MD5 value. If they do not match, Amazon S3 returns an error. Additionally, you can calculate the MD5 value while posting an object to Amazon S3 and compare the returned ETag to the calculated MD5 value. The ETag reflects only changes to the contents of an object, not its metadata.

Note

To configure your application to send the request headers before sending the request body, use the HTTP status code 100 (Continue). For POST operations, using this status code helps you avoid sending the message body if the message is rejected based on the headers (for example, because of an authentication failure or redirect). For more information about the HTTP status code 100 (Continue), go to Section 8.2.3 of http://www.ietf.org/rfc/rfc2616.txt.

Amazon S3 automatically encrypts all new objects that are uploaded to an S3 bucket. The encryption setting of an uploaded object depends on the default encryption configuration of the destination bucket. By default, all buckets have a default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3).

If the destination bucket has an encryption configuration that uses server-side encryption with an AWS Key Management Service (AWS KMS) key (SSE-KMS), dual-layer server-side encryption with an AWS KMS key (DSSE-KMS), or a customer-provided encryption key (SSE-C), Amazon S3 uses the corresponding KMS key or customer-provided key to encrypt the uploaded object. When uploading an object, if you want to change the encryption setting of the uploaded object, you can specify the type of server-side encryption. You can configure SSE-S3, SSE-KMS, DSSE-KMS, or SSE-C. For more information, see Protecting data using server-side encryption in the Amazon Simple Storage Service User Guide.

Important

When constructing your request, make sure that the file field is the last field in the form.

Requests

Syntax


POST / HTTP/1.1
Host: destinationBucket.s3.amazonaws.com
User-Agent: browser_data
Accept: file_types
Accept-Language: Regions
Accept-Encoding: encoding
Accept-Charset: character_set
Keep-Alive: 300
Connection: keep-alive
Content-Type: multipart/form-data; boundary=9431149156168
Content-Length: length

--9431149156168
Content-Disposition: form-data; name="key"

acl
--9431149156168
Content-Disposition: form-data; name="tagging"

<Tagging><TagSet><Tag><Key>Tag Name</Key><Value>Tag Value</Value></Tag></TagSet></Tagging>
--9431149156168
Content-Disposition: form-data; name="success_action_redirect"

success_redirect
--9431149156168
Content-Disposition: form-data; name="Content-Type"

content_type
--9431149156168
Content-Disposition: form-data; name="x-amz-meta-uuid"

uuid
--9431149156168
Content-Disposition: form-data; name="x-amz-meta-tag"

metadata
--9431149156168
Content-Disposition: form-data; name="AWSAccessKeyId"

access-key-id
--9431149156168
Content-Disposition: form-data; name="Policy"

encoded_policy
--9431149156168
Content-Disposition: form-data; name="Signature"

signature=
--9431149156168
Content-Disposition: form-data; name="file"; filename="MyFilename.jpg"
Content-Type: image/jpeg

file_content
--9431149156168
Content-Disposition: form-data; name="submit"

Upload to Amazon S3
--9431149156168--

Request Parameters

This implementation of the operation does not use request parameters.

Form Fields

This operation can use the following form fields.

Name	Description	Required
`AWSAccessKeyId`	The AWS access key ID of the owner of the bucket who grants an Anonymous user access for a request that satisfies the set of constraints in the policy. Type: String Default: None Constraints: Required if a policy document is included with the request.	Conditional
`acl`	The specified Amazon S3 access control list (ACL). If the specified ACL is not valid, an error is generated. For more information about ACLs, see Access control list (ACL) overview in the Amazon Simple Storage Service User Guide. Type: String Default: private Valid Values: `private \| public-read \| public-read-write \| aws-exec-read \| authenticated-read \| bucket-owner-read \| bucket-owner-full-control`	No
`Cache-Control`, `Content-Type`, `Content-Disposition`, `Content-Encoding`, `Expires`	The REST-specific headers. For more information, see PutObject. Type: String Default: None	No
`file`	The file or text content. The file or text content must be the last field in the form. You cannot upload more than one file at a time. Type: File or text content Default: None	Yes
`key`	The name of the uploaded key. To use the file name provided by the user, use the `${filename}` variable. For example, if a user named Mary uploads the file `example.jpg` and you specify `/user/mary/${filename}`, the key name is `/user/mary/example.jpg`. For more information, see Object key and metadata in the Amazon Simple Storage Service User Guide. Type: String Default: None	Yes
`policy`	The security policy that describes what is permitted in the request. Requests without a security policy are considered anonymous and work only on publicly writable buckets. For more information, see HTML forms and Upload examples in the Amazon Simple Storage Service User Guide. Type: String Default: None Constraints: A security policy is required if the bucket is not publicly writable.	Conditional
`success_action_redirect`, `redirect`	The URL to which the client is redirected upon a successful upload. If `success_action_redirect` is not specified, Amazon S3 returns the empty document type specified in the `success_action_status` field. If Amazon S3 cannot interpret the URL, it acts as if the field is not present. If the upload fails, Amazon S3 displays an error and does not redirect the user to a URL. Type: String Default: None Note The `redirect` field name is deprecated, and support for the `redirect` field name will be removed in the future.	No
`success_action_status`	If you don't specify `success_action_redirect`, the status code is returned to the client when the upload succeeds. This field accepts the values `200`, `201`, or `204` (the default). If the value is set to `200` or `204`, Amazon S3 returns an empty document with a 200 or 204 status code. If the value is set to `201`, Amazon S3 returns an XML document with a 201 status code. If the value is not set or if it is set to a value that is not valid, Amazon S3 returns an empty document with a 204 status code. Type: String Default: None	No
`tagging`	The specified set of tags to add to the object. To add tags, use the following encoding scheme. `<Tagging> <TagSet> <Tag> <Key>TagName</Key> <Value>TagValue</Value> </Tag> ... </TagSet> </Tagging>` For more information, see Object tagging in the Amazon Simple Storage Service User Guide. Type: String Default: None	No
`x-amz-storage-class`	The storage class to use for storing the object. If you don't specify a class, Amazon S3 uses the default storage class, `STANDARD`. Amazon S3 supports other storage classes. For more information, see Storage classes in the Amazon Simple Storage Service User Guide. Type: String Default: `STANDARD` Valid values: `STANDARD` \| `REDUCED_REDUNDANCY` \| `GLACIER` \| `GLACIER_IR` \| `STANDARD_IA` \| `ONEZONE_IA` \| `INTELLIGENT_TIERING` \| `DEEP_ARCHIVE`	No
`x-amz-meta-*`	Headers starting with this prefix are user-defined metadata. Each one is stored and returned as a set of key-value pairs. Amazon S3 doesn't validate or interpret user-defined metadata. For more information, see PutObject. Type: String Default: None	No
`x-amz-security-token`	The Amazon DevPay security token. Each request that uses Amazon DevPay requires two `x-amz-security-token` form fields: one for the product token and one for the user token. Type: String Default: None	No
`x-amz-signature`	(AWS Signature Version 4) The HMAC-SHA256 hash of the security policy. Type: String Default: None	Conditional
`x-amz-website-redirect-location`	If the bucket is configured as a website, this field redirects requests for this object to another object in the same bucket or to an external URL. Amazon S3 stores the value of this header in the object metadata. For information about object metadata, see Object key and metadata in the Amazon Simple Storage Service User Guide. In the following example, the request header sets the redirect to an object (`anotherPage.html`) in the same bucket: `x-amz-website-redirect-location: /anotherPage.html` In the following example, the request header sets the object redirect to another website: `x-amz-website-redirect-location: http://www.example.com/` For more information about website hosting in Amazon S3, see Hosting websites on Amazon S3 and How to configure website page redirects in the Amazon Simple Storage Service User Guide. Type: String Default: None Constraints: The value must be prefixed by `/`, `http://`, or `https://`. The length of the value is limited to 2 KB.	No

Additional Checksum Request Form Fields

When uploading an object, you can specify various checksums that you would like to use to verify your data integrity. You can specify one additional checksum algorithm for Amazon S3 to use. For more information about additional checksum values, see Checking object integrity in the Amazon Simple Storage Service User Guide.

Name	Description	Required
`x-amz-checksum-algorithm`	Indicates the algorithm used to create the checksum for the object. If a value is specified, you must include the matching checksum header. Otherwise, your request will generate a 400 error. Possible values include `CRC32`, `CRC32C`, `SHA1`, and `SHA256`.	No
`x-amz-checksum-crc32`	Specifies the base64-encoded, 32-bit CRC32 checksum of the object. This parameter is required if the value of `x-amz-checksum-algorithm` is `CRC32`.	Conditional
`x-amz-checksum-crc32c`	Specifies the base64-encoded, 32-bit CRC32C checksum of the object. This parameter is required if the value of `x-amz-checksum-algorithm` is `CRC32C`.	Conditional
`x-amz-checksum-sha1`	Specifies the base64-encoded, 160-bit SHA-1 digest of the object. This parameter is required if the value of `x-amz-checksum-algorithm` is `SHA1`.	Conditional
`x-amz-checksum-sha256`	Specifies the base64-encoded, 256-bit SHA-256 digest of the object. This parameter is required if the value of `x-amz-checksum-algorithm` is `SHA256`.	Conditional

Server-Side Encryption Specific Request Form Fields

Server-side encryption is data encryption at rest. Amazon S3 encrypts your data while writing it to disks in AWS data centers and decrypts your data when you access it. When uploading an object, you can specify the type of server-side encryption that you want Amazon S3 to use for encrypting the object.

There are four types of server-side encryption:

Server-side encryption with Amazon S3 managed keys (SSE-S3) – Starting May 2022, all Amazon S3 buckets have encryption configured by default. The default option for server-side encryption is with SSE-S3. Each object is encrypted with a unique key. As an additional safeguard, SSE-S3 encrypts the key itself with a root key that it regularly rotates. SSE-S3 uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
Server-side encryption with AWS KMS keys (SSE-KMS) – SSE-KMS is provided through an integration of the AWS KMS service with Amazon S3. With AWS KMS, you have more control over your keys. For example, you can view separate keys, edit control policies, and follow the keys in AWS CloudTrail. Additionally, you can create and manage customer managed keys or use AWS managed keys that are unique to you, your service, and your Region.
Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) – Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) is similar to SSE-KMS, but applies two individual layers of object-level encryption instead of one layer.
Server-side encryption with customer-provided keys (SSE-C) – With SSE-C, you manage the encryption keys, and Amazon S3 manages the encryption as it writes to disks, and the decryption when you access your objects.

For more information, see Protecting data using server-side encryption in the Amazon Simple Storage Service User Guide.

Depending on which type of server-side encryption you want to use, specify the following form fields.

Use SSE-S3, SSE-KMS, or DSSE-KMS – If you want to use these types of server-side encryption, specify the following form fields in the request.

Name	Description	Required
`x-amz-server-side-encryption`	Specifies the server-side encryption algorithm to use when Amazon S3 creates an object. To use SSE-S3, specify `AES256`. To use SSE-KMS, specify `aws:kms`. To use DSSE-KMS, specify `aws:kms:dsse`. Type: String Valid Value: `aws:kms`, `AES256`, `aws:kms:dsse`	Yes
`x-amz-server-side-encryption-aws-kms-key-id`	If the `x-amz-server-side-encryption` header has a valid value of `aws:kms` or `aws:kms:dsse`, this header specifies the ID of the AWS KMS key that was used to encrypt the object. Type: String	Yes, if the value of `x-amz-server-side-encryption` is `aws:kms` or `aws:kms:dsse`
`x-amz-server-side-encryption-context`	If `x-amz-server-side-encryption` has a valid value of `aws:kms` or `aws:kms:dsse`, this header specifies the encryption context for the object. The value of this header is a base64-encoded UTF-8 string that contains JSON-formatted key-value pairs for the encryption context. Type: String	No
`x-amz-server-side-encryption-bucket-key-enabled`	If `x-amz-server-side-encryption` has a valid value of `aws:kms` or `aws:kms:dsse`, this header specifies whether Amazon S3 should use an S3 Bucket Key with SSE-KMS or DSSE-KMS. Setting this header to `true` causes Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS or DSSE-KMS. Type: Boolean	No

Note

If you specify x-amz-server-side-encryption:aws:kms or x-amz-server-side-encryption:aws:kms:dsse, but do not provide x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the AWS managed key (aws/S3) to protect the data.

Use SSE-C – If you want to manage your own encryption keys, you must provide all the following form fields in the request.

Note

If you use SSE-C, the ETag value that Amazon S3 returns in the response is not the MD5 of the object.

Name Description Required

Name	Description	Required
`x-amz-server-side-encryption-customer-algorithm`	Specifies the algorithm to use to when encrypting the object. Type: String Default: None Valid Value: `AES256` Constraints: Must be accompanied by valid `x-amz-server-side-encryption-customer-key` and `x-amz-server-side-encryption-customer-key-MD5` fields.	Yes
`x-amz-server-side-encryption-customer-key`	Specifies the customer-provided base64-encoded encryption key for Amazon S3 to use in encrypting data. This value is used to store the object, and then it is discarded. Amazon does not store the encryption key. The key must be appropriate for use with the algorithm specified in the `x-amz-server-side-encryption-customer-algorithm` header. Type: String Default: None Constraints: Must be accompanied by valid `x-amz-server-side-encryption-customer-algorithm` and `x-amz-server-side-encryption-customer-key-MD5` fields.	Yes
`x-amz-server-side-encryption-customer-key-MD5`	Specifies the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message-integrity check to ensure that the encryption key was transmitted without error. Type: String Default: None Constraints: Must be accompanied by valid `x-amz-server-side-encryption-customer-algorithm` and `x-amz-server-side-encryption-customer-key` fields.	Yes

x-amz-server-side-encryption-customer-algorithm

Specifies the algorithm to use to when encrypting the object.

Type: String

Default: None

Valid Value: AES256

Constraints: Must be accompanied by valid x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5 fields.

Yes

x-amz-server-side-encryption-customer-key

Specifies the customer-provided base64-encoded encryption key for Amazon S3 to use in encrypting data. This value is used to store the object, and then it is discarded. Amazon does not store the encryption key. The key must be appropriate for use with the algorithm specified in the x-amz-server-side-encryption-customer-algorithm header.

Type: String

Default: None

Constraints: Must be accompanied by valid x-amz-server-side-encryption-customer-algorithm and x-amz-server-side-encryption-customer-key-MD5 fields.

Yes

x-amz-server-side-encryption-customer-key-MD5

Specifies the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message-integrity check to ensure that the encryption key was transmitted without error.

Type: String

Default: None

Constraints: Must be accompanied by valid x-amz-server-side-encryption-customer-algorithm and x-amz-server-side-encryption-customer-key fields.

Yes

Responses

Response Headers

This implementation of the operation can include the following response headers in addition to the response headers common to all responses. For more information, see Common Response Headers.

Name	Description
`x-amz-checksum-crc32`	The base64-encoded, 32-bit CRC32 checksum of the object. Type: String
`x-amz-checksum-crc32c`	The base64-encoded, 32-bit CRC32C checksum of the object. Type: String
`x-amz-checksum-sha1`	The base64-encoded, 160-bit SHA-1 digest of the object. Type: String
`x-amz-checksum-sha256`	The base64-encoded, 256-bit SHA-256 digest of the object. Type: String
`x-amz-expiration`	If an `Expiration` action is configured for the object as part of the bucket's lifecycle configuration, Amazon S3 returns this header. The header value includes an `expiry-date` component and a URL-encoded `rule-id` component. For version-enabled buckets, this header applies only to current versions. Amazon S3 does not provide a header to indicate when a noncurrent version is eligible for permanent deletion. For more information, see PutBucketLifecycleConfiguration. Type: String
`success_action_redirect, redirect`	The URL to which the client is redirected on a successful upload. Type: String Ancestor: PostResponse
`x-amz-server-side-encryption`	The server-side encryption algorithm that was used when storing this object in Amazon S3 (for example, `AES256`, `aws:kms`, `aws:kms:dsse`). Type: String
`x-amz-server-side-encryption-aws-kms-key-id`	If the `x-amz-server-side-encryption` header has a valid value of `aws:kms`, this header specifies the ID of the KMS key that was used to encrypt the object. Type: String
`x-amz-server-side-encryption-bucket-key-enabled`	If `x-amz-server-side-encryption` has a valid value of `aws:kms`, this header indicates whether the object is encrypted with SSE-KMS by using an S3 Bucket Key. If this header is set to `true`, the object uses an S3 Bucket Key with SSE-KMS. Type: Boolean
`x-amz-server-side-encryption-customer-algorithm`	If SSE-C was requested, the response includes this header, which confirms the encryption algorithm that was used. Type: String Valid Values: `AES256`
`x-amz-server-side-encryption-customer-key-MD5`	If SSE-C was requested, the response includes this header to verify round-trip message integrity of the customer-provided encryption key. Type: String
`x-amz-version-id`	Version of the object. Type: String

Response Elements

Name	Description
`Bucket`	The name of the bucket that the object was stored in. Type: String Ancestor: PostResponse
`ETag`	The entity tag (ETag) is an MD5 hash of the object that you can use to do conditional `GET` operations by using the `If-Modified` request tag with the `GET` request operation. `ETag` reflects changes only to the contents of an object, not to its metadata. Type: String Ancestor: PostResponse
`Key`	The object key name. Type: String Ancestor: PostResponse
`Location`	The URI of the object. Type: String Ancestor: PostResponse

Special Errors

This implementation of the operation does not return special errors. For general information about Amazon S3 errors and a list of error codes, see Error Responses.

Examples

Sample Request


POST /Neo HTTP/1.1
Content-Length: 4
Host: quotes.s3.amazonaws.com
Date: Wed, 01 Mar  2006 12:00:00 GMT
Authorization: authorization string
Content-Type: text/plain
Expect: the 100-continue HTTP status code

ObjectContent

Sample Response with Versioning Suspended

The following is a sample response when bucket versioning is suspended:


HTTP/1.1 100 Continue
HTTP/1.1 200 OK
x-amz-id-2: LriYPLdmOdAiIfgSm/F1YsViT1LW94/xUQxMsF7xiEb1a0wiIOIxl+zbwZ163pt7
x-amz-request-id: 0A49CE4060975EAC
x-amz-version-id: default
Date: Wed, 12 Oct 2009 17:50:00 GMT
ETag: "1b2cf535f27731c974343645a3985328"
Content-Length: 0
Connection: close
Server: AmazonS3

In this response, the version ID is null.

Sample Response with Versioning Enabled

The following is a sample response when bucket versioning is enabled.


HTTP/1.1 100 Continue
HTTP/1.1 200 OK
x-amz-id-2: LriYPLdmOdAiIfgSm/F1YsViT1LW94/xUQxMsF7xiEb1a0wiIOIxl+zbwZ163pt7
x-amz-request-id: 0A49CE4060975EAC
x-amz-version-id: 43jfkodU8493jnFJD9fjj3HHNVfdsQUIFDNsidf038jfdsjGFDSIRp
Date: Wed, 01 Mar  2006 12:00:00 GMT
ETag: "828ef3fdfa96f00ad9f27c383fc9ac7f"
Content-Length: 0
Connection: close
Server: AmazonS3

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Browser-Based Uploads Using POST

Versioning