Generating cacheable presigned URL with S3? #2146
Comments
jackyjjc-canva
changed the title
|
https://aws.amazon.com/blogs/aws/amazon-s3-update-sigv2-deprecation-period-extended-modified/ SigV2 can still be used, but it's not recommended, and is not the default. |
|
@spfink Thanks for the response! What about the default S3 signer, is there a sunset day for that? And what do you suggest we do to proceed on this? Should I submit a feature request through our AWS TAM or support channel? Is there a workaround for this? We are serving private contents to our users with an expiry of an hour. Within the hour, the content can get a lot of views. As a result, we would like to be able to cache it in the CDN and the browser. |
|
There are no plans to remove the sigv2 signer from the SDK. You can specify the signer to use directly through ClientConfiguration. I believe the sigv2 signer would be specified as "S3SignerType" |
|
Thanks! Can I add a feature request for the SDK to allow overwriting the date parameter in the V4 signer? I can see that there is already the ability the do so in the code but that's only for testing at the moment. |
|
Which method are you using for generating a presigned url? Both the request object: And the methods in the S3 client: Allow you to specify the expiration date. |
|
As mentioned in the original post, the generated V4 URL has a date component in it such as |
|
Picking this up after a long time, I'm sorry for the long silence here @jackyjjc-canva. As @spfink mentioned, you can specify the expiration date to // Set the pre-signed URL to expire after one hour.
java.util.Date expiration = new java.util.Date();
long expTimeMillis = expiration.getTime();
expTimeMillis += 1000 * 60 * 60;
expiration.setTime(expTimeMillis);
GeneratePresignedUrlRequest generatePresignedUrlRequest =
new GeneratePresignedUrlRequest(BUCKET, KEY)
.withMethod(HttpMethod.GET)
.withExpiration(expiration);and the generated url will contain both Please let us know if this is not what you're looking for. |
debora-ito
added
guidance
|
@debora-ito Hi, thank you for the follow up! I think I didn't explain the use case clearly. We use the url signer to give user access to private S3 contents. User will then use their browser to access this content via the url generated. The flow goes like this:
This negatively impacts our user experience since the user need to load all these large images on every page refresh due to the non-cachable S3 urls. With |
|
@debora-ito Hi! Just to follow up on this ticket. I have responded, do you mind removing the |
github-actions
bot
removed
the
response-requested
|
Hello there! I'm facing the same problem here.. |
|
Same here, we can't mock the java clock as easy as it is in other languages like ruby, js, etc! |
|
Yes, if we could specify the signing date to be pinned, for example to the most-recent time of 00:00, 06:00, 12:00, or 18:00, and the expiration to happen twelve hours from then, we could have nicely browser-cache-friendly URLs that still had the desirable security properties of being short-lived. Is there any hope of either letting us directly specify X-Amz-Date for this purpose, or perhaps adding a “signing date resolution” parameter, to ask that it be rounded to the most recent n-hour period or day, or some such thing? |
|
+1 |
|
+1 The |
|
+1 |
|
No resolution in 3.5 years. |
|
@debora-ito @spfink , could you please let us know if there is any resolution for this flow ? |
|
+1 here |
|
+1 |
|
This issue is now closed. Comments on closed issues are hard for our team to see. |
My service was generating cacheable pre-signed S3 URLs using the SDK last year (2018) and from what I see, it was using S3QueryStringSigner to generate those URLs because they looks like:
This is also the format generated by the cli: https://docs.aws.amazon.com/cli/latest/reference/s3/presign.html
The URL generated above is cacheable by the browser because I can control the expiry timestamp by passing it into s3.generatePresignedUrl().
However, at some point this year (2019), the default signer in the SDK has been changed to AWSS3V4Signer which generates non-cacheable URLs because the generated URL has a date component in it such as
X-Amz-Date=20191113T001701ZThis date component was generated by calling
currentTimeMillis()on the SDK clock: https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/internal/AWS4SignerRequestParams.java#L129, as a result, I have no control over this behaviour.I can see that the signer is selected using this logic: https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-s3/src/main/java/com/amazonaws/services/s3/AmazonS3Client.java#L3384
Theoretically I can make it use S3QueryStringSigner but do you recommend that? Will
S3QueryStringSignerbe deprecated in the future?The text was updated successfully, but these errors were encountered: