S3 link 到期时间更长
S3 link with longer expiration
我正在使用 java SDK 为客户端生成预签名 link。我们有新要求允许 link 保持活跃至少 30 天。当我将到期时间设置得更长时,出现以下错误:
Requests that are pre-signed by SigV4 algorithm are valid for at most
7 days
我需要确定解决此问题的方法,因为客户端无法接受对 link 的更新(例如,如果我只是每周自动生成更新)。有没有解决的办法?我可以传递给定的一组只读凭据吗?
有关日期限制的说明,请参阅此详细信息answer。
为客户端生成只读凭据效果不佳,因为客户端必须使用这些凭据来创建自己的预签名 URL(与您现在所做的没什么不同——它将仍会在最多 7 天后过期)或使用 AWS SDK 直接下载没有预签名的文件 URL.
使用 SigV4 并具有超过 7 天的常量 link 可以通过中间层(如 REST 端点)完成,其 URL 不会更改并在请求时提供文件.
不幸的是,使用 S3 预签名 url 无法超过 7 天。
一种可能的解决方案是使用 CloudFront 签名的 url,这些没有 "limit" url 的有效期。 S3 存储桶仍将保持私有。
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
Java 示例:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CFPrivateDistJavaDevelopment.html
import logging
import boto3
from botocore.exceptions import ClientError
from botocore.client import Config
# python > 3 should be installed
# pip install boto3
# s3v4
# (Default) Signature Version 4
# v4 algorithm starts with X-Amz-Algorithm
#
# s3
# (Deprecated) Signature Version 2, this only works in some regions new regions not supported
# if you have to generate signed url that has > 7 days expiry then use version 2 if your region supports it. below code illustration of this
s3_signature ={
'v4':'s3v4',
'v2':'s3'
}
def create_presigned_url(bucket_name, bucket_key, expiration=3600):
"""Generate a presigned URL to share an S3 object
:param bucket_name: string
:param bucket_key: string
:param expiration: Time in seconds for the presigned URL to remain valid
:return: Presigned URL as string. If error, returns None.
"""
# Generate a presigned URL for the S3 object
s3_client = boto3.client('s3',
aws_access_key_id='your_access_key_here',
aws_secret_access_key='your_secret_key_here',
config=Config(signature_version=s3_signature['v2']),
region_name='us-east-1'
)
try:
response = s3_client.generate_presigned_url('get_object',
Params={'Bucket': bucket_name,
'Key': bucket_key},
ExpiresIn=expiration)
except ClientError as e:
logging.error(e)
return None
# The response contains the presigned URL
return response
weeks = 8
seven_days_as_seconds = 604800
signed_url = create_presigned_url('your_bucket_here', 'your_key/file_name.xls', (seven_days_as_seconds*weeks))
print(signed_url)
我正在使用 java SDK 为客户端生成预签名 link。我们有新要求允许 link 保持活跃至少 30 天。当我将到期时间设置得更长时,出现以下错误:
Requests that are pre-signed by SigV4 algorithm are valid for at most 7 days
我需要确定解决此问题的方法,因为客户端无法接受对 link 的更新(例如,如果我只是每周自动生成更新)。有没有解决的办法?我可以传递给定的一组只读凭据吗?
有关日期限制的说明,请参阅此详细信息answer。
为客户端生成只读凭据效果不佳,因为客户端必须使用这些凭据来创建自己的预签名 URL(与您现在所做的没什么不同——它将仍会在最多 7 天后过期)或使用 AWS SDK 直接下载没有预签名的文件 URL.
使用 SigV4 并具有超过 7 天的常量 link 可以通过中间层(如 REST 端点)完成,其 URL 不会更改并在请求时提供文件.
不幸的是,使用 S3 预签名 url 无法超过 7 天。
一种可能的解决方案是使用 CloudFront 签名的 url,这些没有 "limit" url 的有效期。 S3 存储桶仍将保持私有。
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
Java 示例:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CFPrivateDistJavaDevelopment.html
import logging
import boto3
from botocore.exceptions import ClientError
from botocore.client import Config
# python > 3 should be installed
# pip install boto3
# s3v4
# (Default) Signature Version 4
# v4 algorithm starts with X-Amz-Algorithm
#
# s3
# (Deprecated) Signature Version 2, this only works in some regions new regions not supported
# if you have to generate signed url that has > 7 days expiry then use version 2 if your region supports it. below code illustration of this
s3_signature ={
'v4':'s3v4',
'v2':'s3'
}
def create_presigned_url(bucket_name, bucket_key, expiration=3600):
"""Generate a presigned URL to share an S3 object
:param bucket_name: string
:param bucket_key: string
:param expiration: Time in seconds for the presigned URL to remain valid
:return: Presigned URL as string. If error, returns None.
"""
# Generate a presigned URL for the S3 object
s3_client = boto3.client('s3',
aws_access_key_id='your_access_key_here',
aws_secret_access_key='your_secret_key_here',
config=Config(signature_version=s3_signature['v2']),
region_name='us-east-1'
)
try:
response = s3_client.generate_presigned_url('get_object',
Params={'Bucket': bucket_name,
'Key': bucket_key},
ExpiresIn=expiration)
except ClientError as e:
logging.error(e)
return None
# The response contains the presigned URL
return response
weeks = 8
seven_days_as_seconds = 604800
signed_url = create_presigned_url('your_bucket_here', 'your_key/file_name.xls', (seven_days_as_seconds*weeks))
print(signed_url)