Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to increase s3 presigned url time?

0

ref: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html#PresignedUrl-Expiration

Currently, I am using an IAM instance profile to generate a temporary security token, which I then use with the AWS SDK to generate a pre-signed S3 URL. However, my goal is for the pre-signed URL to be valid for 10 hours. Right now, the URL expires after 1 hour because the temporary token itself is valid for only 1 hour.

I would like to achieve the following:

  • Extend the duration of the pre-signed URL to 10 hours. How can I configure this in my current setup?
  • Handle token expiration. Since the URL expires when the temporary token expires, what is the best approach to automatically refresh the token and generate a new pre-signed URL?

Providing my go implementation: sess := session.NewSession(&aws.Config{ Region: aws.String(region), EndpointResolver: getResolverForEnv(env), }) c := s3.New(sess, cfg)

Topics
Management & GovernanceStorageSecurity, Identity, & Compliance
Tags
presigned URLAWS IAM Identity CenterAWS Command Line InterfaceAmazon Simple Storage Service
Language
English
asked a year ago1.6K views
2 Answers
1

I would recommend creating another IAM role that you intend to use for signing the pre-signed URLs. Use your code to assume that role (instead of the instance profile) when creating the s3 pre-signed URLs. You will be able to set the timeout for credentials provided by that role.

General Documentation about assuming roles (includes info about time outs) https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

Go specific: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts#Client.AssumeRole

AWS
answered a year ago
-1

To increase the duration of your S3 presigned URL and handle token expiration, you can make a few adjustments to your current setup:

  1. Extending the presigned URL duration: When using the AWS SDK to generate presigned URLs, you can specify a longer expiration time. The maximum allowed expiration time for presigned URLs is 7 days from the time of creation. To set a 10-hour expiration, you can modify your code to include the expiration time when creating the presigned URL.

    In your Go implementation, you can use the s3.Presign() method with a custom request duration. Here's an example:

    req, _ := c.GetObjectRequest(&s3.GetObjectInput{ Bucket: aws.String("your-bucket"), Key: aws.String("your-object-key"), }) url, err := req.Presign(10 * time.Hour)

    This will create a presigned URL that's valid for 10 hours.

  2. Handling token expiration: Since your temporary security token from the IAM instance profile is only valid for 1 hour, you'll need to implement a mechanism to refresh the token and regenerate the presigned URL before it expires. Here are some approaches you can consider:

    a. Implement a background process or scheduled task that runs periodically (e.g., every 50 minutes) to refresh the token and generate a new presigned URL.

    b. Use a caching mechanism to store the presigned URL along with its expiration time. When a request for the URL is made, check if the cached URL is still valid. If it's close to expiration or has expired, generate a new one.

    c. Implement lazy loading: Generate a new presigned URL only when it's requested and the current one has expired or is close to expiring.

    To refresh the token, you can create a new session using the instance profile credentials:

    sess, err := session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, })

    Then use this new session to create the S3 client and generate the presigned URL as shown earlier.

Remember to handle errors and implement proper logging and monitoring to ensure your system is generating and using valid presigned URLs consistently.

By implementing these changes, you should be able to generate presigned URLs that are valid for 10 hours and handle the token expiration issue effectively.
Sources
Sharing objects with presigned URLs - Amazon Simple Storage Service
Creating a presigned URL for Amazon S3 objects using AWS CloudShell - AWS CloudShell

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content