Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
581 views
in Technique[技术] by (71.8m points)

java - What is the longest expiration time for amazon s3 generated link?

I've tried to set expiration date 2100 year, but it says that it's invalid. Or is it possible to make it permanent somehow?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

For URLs signed with S3 Signature Version 2, the time limit appears to be the end of the Unix epoch in 2038, but for Signature Version 4, the limit is 7 days, because the signing keys in V4, themselves, have a maximum validity of 7 days.

If you are unfamiliar with the difference, between V2 and V4, an easy way to differentiate between them is that V2 URLs include &Expires= while V4 URLs use &X-Amz-Expires=.

Importantly, though, the signature using either algorithm is immediately invalidated if you deactivate the IAM user credentials (access key/secret) that were used to sign the URL... which you should at some point be planning to do, because rotation of credentials is considered a best practice (or, if not that, then because your credentials might one day be compromised, or be suspected of having been compromised).

So a signed URL for an S3 object should not be considered permanent.

If making the object public is not desired, then the next best approach is for your application (or any kind of HTTP endpoint that you control) to validate the user's permission to download the object (perhaps based on your application's cookies), and then generate a short-lived signed URL and return a redirect. The browser should immediately follow it and fetch the object, but not cache the redirect, since you've indicated that the original URL should be used for subsequent requests, with the 302 response code.

The notable headers in the HTTP response from your application would look something like this:

HTTP/1.1 302 Found
Location: https://...generated-signed-url-here...

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...