Reputation: 1203
AWS S3.getSignedUrl() : semantics of expiry
I have a large dataset stored in an AWS S3 bucket. The access to the S3 bucket is non-public and I am using API gateway to perform authorization before the S3 bucket can be accessed. Authorized users are returned a signed url using S3.getSignedUrl() API call which they could use to fetch the large object.
My question is regarding the semantics of the expiry duration passed in the parameter object to the getSignedUrl call.
var params = {Bucket: 'bucket', Key: 'key', Expires: 60};
var url = s3.getSignedUrl('getObject', params);
My understanding is that the URL expires after the Expires duration (60 seconds in this example).
The question is: Can I use a short expiry URL that returns a large object for which the GET request itself might take much longer (say 15 minutes)?
params (map) — parameters to pass to the operation. See the given operation for the expected operation parameters. In addition, you can also pass the "Expires" parameter to inform S3 how long the URL should work for (emphasis added).
I want to avoid having to provide longer expiration duration than necessary from a security point of view. I am trying to understand the meaning of 'how long the URL should work for' in the documentation.
Intuitively, I feel the getSignedUrl() returns a signed URL that is valid for 60 secs (in this example) and if a GET request is triggered within the expiry of the signed URL, AWS will authorize the request and fulfill the request even if it takes 15 mins to stream the object back to the requestor. This should work as long as the GET request to the underlying object is issued prior to expiry. Is this correct?
Upvotes: 1
Views: 2285
Answers (1)
Reputation: 13127
Under the assumption, that your large object can be downloaded in a single GET request that is correct, authorization happens when you issue that request.
If you need multiple GET requests with the range-header, each of these is authorized separately.
I tried it:
$ URL=$(aws s3 presign s3://mb-demo-bucket-2020/130MB.txt --expires-in=10)
$ wget -q $URL
Time: 0h:00m:23s
The download takes 23 seconds and the URL was only valid for 10 seconds.
Upvotes: 2
Related Questions
- Is there a way to make expiration time on GeneratePresignedUrlRequest working properly?
- AWS client-s3 getSignedUrl equivalent
- S3 link with longer expiration
- AmazonS3 GetPreSignedUrlRequest max Expires date
- Presigned S3 url valid after expiry time
- Does an S3 signed url expire during the action?
- Signing an S3 URL with a future expiration AND start date
- AWS S3 Presign Url always expiring at the same time?
- AWS SDK - Does AmazonS3ClientBuilder instance expires?
- Understanding AWS S3 Expiration Value in Presigned URL