The workaround for extending the expiration date for an Amazon S3 Bucket pre-signed URL
Problem
In some of our processes at Homeday we need to share a file with
an external user who has no access to our internal applications.
These files need to be accessible for up to 5 weeks.
We are using S3 pre-signed URLs to allow anonymous users
to access files that are stored on S3.
What are S3 pre-signed URLs?
A user who does not have AWS credentials or permission to access an S3 object can be granted temporary access by using a pre-signed URL.
A pre-signed URL is generated by an AWS user that does have access to the object. The pre-signed URL can then be used by an unauthorized user to access the object.
The credentials used by the pre-signed URL are those of the AWS user who generated the URL.
A pre-signed URL remains valid for a limited period of time which is specified when the URL is generated, and it’s a maximum of 1 week.
Therefore, S3 pre-signed URLs that are only valid for one week
do not help us here at all :]
The Solution
The solution is to extend the lifetime for links by using a JWT token.
We use JWT to generate an encrypted token based on some of the file’s data,
like file key or checksum, which can be valid for up to 5 weeks.
Public API to generate the S3 Pre-signed URLs
After creating the JWT token, we generate a link to an internal API with the token as a param.
In this custom API, we validate if the token is still valid or if it has already expired. If it’s still valid, we check if the file still exists and generate the S3 pre-signed URL for the actual file the user wants to access. This pre-signed URL is then only valid for 5 minutes.
The external user has a shortened link for a custom API, and this API is always generating a new S3 pre-signed URL for the file if the token is still valid.
So whenever the user clicks on the link, it will redirect him directly
to the S3 pre-signed URL with a direct download.
If the file is not downloadable, the user will see a page explaining the reason and whom to contact.
Status codes:
File exists -> 302 Found
The file is not found -> 404 not found
Token Expired -> 410 Gone
I hope this helps you to extend the S3 pre-signed URL expiration date 😃
Follow us on Medium @Homeday for technical series about different topics.
You can also join our amazing engineering department at Homeday
