TechQA.

expired s3 presigned url

2.4k views Asked by At

I have an image that I've uploaded to S3 using a presigned url. At first, the image was viewable when...

  1. used in my app's image_tag, or
  2. used in an <img src=""> of any html doc.

...however it was not viewable when copypasted into my browser.

Now that the expiration date has passed, the image is still viewable...but only when requested by my app. Isn't the expiration date supposed to prevent access?

I read somewhere that the expiration date was only supposed to impact file uploading, but responses to this question state otherwise.

ruby-on-rails amazon-web-services amazon-s3 pre-signed-url
Original Q&A
2

There are 2 answers

0
Shahar Yakov On BEST ANSWER

The expiration is relevant to the URL only not to the object itself. If you upload an object using a pre-signed URL and configure the pre-signed URL with a public-read ACL, the object will be public to anyone. Still, if you upload it with a private ACL configuration, you could only upload this object. To read it, you need to create a new pre-signed URL with the getObject operation. I wrote an article on how to work with pre-signed URLs, it is in nodeJS but I think it could help you. Check out the code snippets.

https://www.altostra.com/blog/aws-s3-presigned-url

0
Abba On

I think your app itself is requesting a presigned URL from S3 everytime you load the page, so you actually get a new presigned url to view the image.

If you don't specify the expiry date when you are creating the presigned url, then the default expiry will apply. This link has the expiry values.

Anyone with valid security credentials can create a presigned URL. However, in order to successfully access an object, the presigned URL must be created by someone who has permission to perform the operation that the presigned URL is based upon.

The credentials that you can use to create a presigned URL include:

IAM instance profile: Valid up to 6 hours

AWS Security Token Service : Valid up to 36 hours when signed with permanent credentials, such as the credentials of the AWS account root user or an IAM user

IAM user: Valid up to 7 days when using AWS Signature Version 4

To create a presigned URL that's valid for up to 7 days, first designate IAM user credentials (the access key and secret access key) to the SDK that you're using. Then, generate a presigned URL using AWS Signature Version 4.

If you created a presigned URL using a temporary token, then the URL expires when the token expires, even if the URL was created with a later expiration time.

Depending on how you create the Presigned urls, they can be used either for object sharing (e.g. image viewing) or for object uploading to S3. They are different types of URLs as each one has a different set of permissions attached to it, so you can't use the same presigned url for both upload and download. Anyways, in both cases you can define an expiry time for the presigned URL.

Related Questions in RUBY-ON-RAILS

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in PRE-SIGNED-URL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions