We have files stored in an S3 bucket which we want to programatically grant time-limited access to. Historically, we've used S3 pre-signed URLs for this; however, we've recently moved to using IAM instance roles rather than IAM users and so the maximum duration on these pres-signed URLs is 6 hours.
One option is to put this bucket behind a Cloudfront distribution and use Cloudfront signed URLs; however, this seems to require managing private keys and distributing them to each server (and not, say, using KMS). This seems more complicated and potentially error-prone than S3 pre-signed URLs. As these URLs will only be distributed internally, we wouldn't gain much from Cloudfront's caching etc.
We could also use S3 Object Lambda or proxy the object inside our application; however, these both require writing custom code.
Are there any good alternative solutions for our use case?
Thanks - I didn't know about Access Grant! Unfortuantely I don't think it quite works for us as many of the staff accessing these files will be non-technical, so at that point we'd have to proxy the files through a lambda/website (at which point we might as well just do the authentication there).