Reputation: 1198
AWS S3 pre signed URL without Expiry date
Is there any way that I can generate Pre-Signed URL's without any expiry date ? I'm developing a Email app where my attachments will be saved in S3. Also please let me know what is the best way to download attachments via JavaScript SDK.
I'm using below code
var params = {Bucket: 'bucket', Key: 'key', Expires: 60};
var url = s3.getSignedUrl('getObject', params);
console.log('The URL is', url);
Upvotes: 117
Views: 151817
Answers (6)
Reputation: 4488
For this specific user case you should create a proxy. So, in your e-mails you can provide a image link which get an image from your backend instead of directly from S3.
Here an example using javascript, but you can adapt it for your own needs:
const express = require("express");
const { GetObjectCommand, S3Client } = require("@aws-sdk/client-s3");
const app = express();
const port = 5000;
const client = new S3Client({});
// proxy for /photos/object-key
app.get("*", async function (req, res, next) {
console.log(req.url);
if (req.url.startsWith("/photos")) {
const command = new GetObjectCommand({
Bucket: "test-bucket",
Key: req.url.slice(7), // remove '/photos' from req.url
});
try {
const response = await client.send(command);
const str = await response.Body.transformToByteArray();
res.writeHead(200, { "Content-Type": "image/jpeg" });
res.write(str, "binary");
res.end(null, "binary");
} catch (err) {
console.error(err);
}
} else {
return next();
}
});
app.listen(port, () => {
console.log(`Example app listening on port ${port}`);
});
In this way, you'll be able to use in your emails https://your-production-url/photos/whatever-your-object-key-is.jpg without any problem.
Upvotes: 0
Reputation: 1545
Not sure if you want to save the attachments indefinitely. Nonetheless, one option could be that you use an API Gateway. You will need to handle authentication and authorization yourself. You could use a token for instance that you can compare with a token in your database. The token grants access to one certain file and is part of the request URL (or it's request headers). But first on how to generate the "pre-signed URL":
- when an attachment is uploaded to S3 you generate a token, i.e. JWT token, with the file name.
- Save the token in a DynamoDB, possibly with an expiry date, if needed
- Return the API Gateway URL and the generated token to the user, e.g. https://get-your-attachment.io/download?token=123
- If the token expires use DynamoDB streams to find the file in S3 and remove it from S3 to have it cleaned up
If a user wants to download a file, they open the URL provided in step 3. The API Gateway calls an authorization Lambda. This Lambda checks that the token is still in the DynamoDB. If so, the request triggers another Lambda function which will extract the file name out of the token and return the file. You have to return the file encoded, set the response headers properly and take care of the service limits.
If the download can only be done from within your app and the link cannot be shared nor used outside of the app, then you could skip returning the file through the API Gateway. Authorization will stay as described above. But instead of returning the file, the Lambda function returns a pre-signed URL, valid for maybe 10 minutes. Your app uses the URL for another request and receives the file from S3.
As for the second part of your question on how to download the files as simple fetch(preSignedS3URL) will be enough.
Upvotes: 1
Reputation: 1
On client you could do:
const image = image.split('&Expires')[0]
That's one of the workarounds that i used
Upvotes: -15
Reputation: 78573
It depends on how you generate the S3 pre-signed URL. Specifically, which signature version you use and what type of IAM credentials you use.
The credentials that you can use to create a pre-signed URL include:
- IAM instance profile (temporary, rotated credentials): valid up to 6 hours
- STS (temporary credentials): valid up to 36 hours
- IAM user (long-term credentials): valid up to 7 days when using signature v4
- IAM user (long-term credentials): valid till the end of the epoch when using signature v2
Note specifically:
- signature v2 is potentially deprecated
- the expiration limit for signature v2 is different to signature v4
- signature v4 offers some security and efficiency benefits over v2
- if you use STS credentials to generate a pre-signed URL then the URL will expire when the STS credentials expire, if that is earlier than the explicit expiration that you requested for the pre-signed URL
- creating pre-signed URLs that are valid till the end of the epoch is not the best security practice
For more, see:
- Why is my pre-signed URL for an Amazon S3 bucket expiring early?
- What is the longest expiration time for amazon s3 generated link?
Upvotes: 43
Reputation: 1800
A somewhat solution for you might be to make the AWS CloudFront distribution that serves your S3 bucket with limited access to only Distribution Origin Access Identity and then using CloudFront Signed urls. Which expiry time can be even in years. So for unlimited or semi-unlimited urls I would recommend such solution.
Upvotes: 20
Related Questions
- boto3 s3 generate_presigned_url ExpiresIn doesn't work as expected
- How to generate an AWS S3 Pre-Signed URL
- Is there a way to set time-limit for pre-signed url in s3?
- expired s3 presigned url
- Presigned S3 url valid after expiry time
- Does an S3 signed url expire during the action?
- Best practice to handle aws s3 presigned URL expiration date
- Amazon S3 pre-signed URLs
- AWS S3 Presign Url always expiring at the same time?
- setting expiration on s3 signed Url