如何在当前日期的1年内设置Amazon S3存储桶预签名URL到期时间

时间:2021-01-12 10:45:58

Images are uploaded to an Amazon S3 bucket. I need to get a presigned URL from Amazon server. Also I want to set the expiry time of that URL. That can take only maximum of 17 days. But I can't set maximum of 1 year expiration time.

图像上传到Amazon S3存储桶。我需要从Amazon服务器获取预签名的URL。我还想设置该URL的到期时间。最多只需17天。但我不能设置最长1年的到期时间。

      Calendar cal = Calendar.getInstance();
        cal.add(Calendar.YEAR, 1);
        Date nextYear = cal.getTime();

    GeneratePresignedUrlRequest generatePresignedUrlRequest = new GeneratePresignedUrlRequest(
                "bucketName", "accessname");
        generatePresignedUrlRequest.setMethod(HttpMethod.GET);
        generatePresignedUrlRequest
                .setExpiration(nextYear);
        URL url = s3client
                .generatePresignedUrl(generatePresignedUrlRequest);
        bucketURL = url.toString();

1 个解决方案

#1


15  

You do not "get" a pre-signed URL "from server." Signature calculation is done on the client. Pre-signed URLs are actually calculated on your machine, not by the service.

您没有“从服务器”获得预先签名的URL。签名计算在客户端完成。预先签名的URL实际上是在您的计算机上计算的,而不是由服务计算的。

If you are using a current SDK, it is probably using Signature V4. If the signed URL includes X-Amz-Signature= then this confirms V4. The older V2 algorithm only uses Signature= in a signed URL.

如果您使用的是当前的SDK,则可能使用的是Signature V4。如果签名的URL包含X-Amz-Signature =则确认V4。较旧的V2算法仅在签名URL中使用Signature =。

If your signature is indeed V4, then you are seeing an intentional limitation:

如果您的签名确实是V4,那么您会看到故意限制:

A presigned URL can be valid for a maximum of seven days because the signing key you use in signature calculation is valid for up to seven days.

预签名URL最多可以有效七天,因为您在签名计算中使用的签名密钥有效期最长为七天。

http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

If you are already using V2, you should be able to sign URLs with expiration times as late as the year 2038. If you are using V4, you could work around the limitation by switching to use V2, but this is not advisable. V2 is not supported in newer S3 regions, like Frankfurt, and if you rotate your AWS access keys like you should, the eventual key invalidation will also invalidate any signatures created with that key.

如果您已经在使用V2,那么您应该可以在2038年之前使用到期时间对URL进行签名。如果您使用的是V4,则可以通过切换到使用V2来解决限制,但这是不可取的。在较新的S3区域(如法兰克福)中不支持V2,如果您按照自己的意愿轮换AWS访问密钥,则最终的密钥失效也将使使用该密钥创建的任何签名无效。

The more correct approach in most cases is to generate the signed URL when you need it. That operation, as noted, requires no interaction with the S3 service and can typically be done in real time.

在大多数情况下,更正确的方法是在需要时生成签名URL。如上所述,该操作不需要与S3服务交互,并且通常可以实时完成。

If you need to give a specific user access to a "direct link," consider creating an endpoint in your application where the user's credentials can be evaluated, at which point you can generate a signed URL and redirect the browser with an HTTP 302 response.

如果您需要授予特定用户访问“直接链接”的权限,请考虑在应用程序中创建可以评估用户凭据的端点,此时您可以生成签名URL并使用HTTP 302响应重定向浏览器。

#1


15  

You do not "get" a pre-signed URL "from server." Signature calculation is done on the client. Pre-signed URLs are actually calculated on your machine, not by the service.

您没有“从服务器”获得预先签名的URL。签名计算在客户端完成。预先签名的URL实际上是在您的计算机上计算的,而不是由服务计算的。

If you are using a current SDK, it is probably using Signature V4. If the signed URL includes X-Amz-Signature= then this confirms V4. The older V2 algorithm only uses Signature= in a signed URL.

如果您使用的是当前的SDK,则可能使用的是Signature V4。如果签名的URL包含X-Amz-Signature =则确认V4。较旧的V2算法仅在签名URL中使用Signature =。

If your signature is indeed V4, then you are seeing an intentional limitation:

如果您的签名确实是V4,那么您会看到故意限制:

A presigned URL can be valid for a maximum of seven days because the signing key you use in signature calculation is valid for up to seven days.

预签名URL最多可以有效七天,因为您在签名计算中使用的签名密钥有效期最长为七天。

http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

If you are already using V2, you should be able to sign URLs with expiration times as late as the year 2038. If you are using V4, you could work around the limitation by switching to use V2, but this is not advisable. V2 is not supported in newer S3 regions, like Frankfurt, and if you rotate your AWS access keys like you should, the eventual key invalidation will also invalidate any signatures created with that key.

如果您已经在使用V2,那么您应该可以在2038年之前使用到期时间对URL进行签名。如果您使用的是V4,则可以通过切换到使用V2来解决限制,但这是不可取的。在较新的S3区域(如法兰克福)中不支持V2,如果您按照自己的意愿轮换AWS访问密钥,则最终的密钥失效也将使使用该密钥创建的任何签名无效。

The more correct approach in most cases is to generate the signed URL when you need it. That operation, as noted, requires no interaction with the S3 service and can typically be done in real time.

在大多数情况下,更正确的方法是在需要时生成签名URL。如上所述,该操作不需要与S3服务交互,并且通常可以实时完成。

If you need to give a specific user access to a "direct link," consider creating an endpoint in your application where the user's credentials can be evaluated, at which point you can generate a signed URL and redirect the browser with an HTTP 302 response.

如果您需要授予特定用户访问“直接链接”的权限,请考虑在应用程序中创建可以评估用户凭据的端点,此时您可以生成签名URL并使用HTTP 302响应重定向浏览器。