- Newest
- Most votes
- Most comments
The limitation you're experiencing with S3 PresignedURLs is indeed a challenge for your use case, as these URLs are designed for temporary, time-limited access. Unfortunately, there isn't a way to make S3 PresignedURLs "permanent" as they are inherently designed to expire for security reasons.
However, there are alternative approaches you can consider to address this issue:
-
IAM Role for Lambda: Instead of using a PresignedURL, you could assign an IAM role to your Lambda@Edge function that grants it permission to access the S3 bucket directly. This would allow permanent access without the need for PresignedURLs.
-
Caching: You could implement a caching mechanism in your Lambda@Edge function to store the redirects in memory. You'd still need to refresh the cache periodically (e.g., every 6 days if using CLI-generated PresignedURLs), but this would reduce the frequency of S3 access.
-
DynamoDB: Using DynamoDB instead of S3 could indeed be a good alternative. DynamoDB doesn't use PresignedURLs, so you wouldn't face the same expiration issues. You would set up IAM permissions for your Lambda function to access the DynamoDB table directly. This approach would likely be more efficient for frequent read operations.
To use DynamoDB:
- Create a DynamoDB table to store your redirects.
- Grant your Lambda@Edge function permissions to read from this table.
- Modify your Lambda function to query DynamoDB instead of S3.
- Use the AWS SDK in your Lambda function to interact with DynamoDB.
Using DynamoDB would eliminate the time limitation you're experiencing with S3 PresignedURLs, providing a more permanent solution for managing your redirects.
Remember to consider factors like read capacity units, pricing, and potential cold starts when deciding between S3 and DynamoDB for your use case.
Sources
Using presigned URLs for S3 on Outposts - Amazon S3 on Outposts
Sharing objects by using presigned URLs - Amazon S3 on Outposts
Overview of presigned URLs - AWS Prescriptive Guidance
To ensure your redirects are permanent and secure without relying on expiring S3 Presigned URLs, you can store your redirects.json file in a DynamoDB table instead. This eliminates the time-based limitation of Presigned URLs and maintains the security of your data.
Ref: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html
Hello,
If you want to keep using S3 bucket to update the JSON file, then you can:
- create a bucket in
us-east-1region (Lambda@Edge are deployed inus-east-1, and thus you won't face cross-region transfer cost) - create an IAM Role with permissions to read the JSON file from the bucket
- assigned the role to your Lambda@Edge
Otherwise, as proposed by other replies, you can use a DynamoDB table as your redirects store. This has several upsides:
- your Lambda@Edge won't need to download a whole file, as in would in S3 case
- Lambda@Edge would query DynamoDB table with actually requested URLS
- Lambda@Edge could use in-memory LRU cache to reduce the number of read requests sent to your DynamoDB
