亚马逊s3生成的链接最长的到期时间是多少? [英] What is the longest expiration time for amazon s3 generated link?
问题描述
我尝试将有效期设置为2100年,但它表示无效. 还是有可能以某种方式使其永久化?
I've tried to set expiration date 2100 year, but it says that it's invalid. Or is it possible to make it permanent somehow?
推荐答案
对于使用S3签名版本2签名的URL,时间限制似乎是2038年Unix时代的结束,但是对于签名版本4,该限制是7天,因为V4中的签名密钥本身的最大有效期为7天.
For URLs signed with S3 Signature Version 2, the time limit appears to be the end of the Unix epoch in 2038, but for Signature Version 4, the limit is 7 days, because the signing keys in V4, themselves, have a maximum validity of 7 days.
如果您不熟悉V2和V4之间的区别,那么一种区分它们的简单方法是V2 URL包含&Expires=,而V4 URL使用&X-Amz-Expires=.
If you are unfamiliar with the difference, between V2 and V4, an easy way to differentiate between them is that V2 URLs include &Expires= while V4 URLs use &X-Amz-Expires=.
但是,重要的是,如果您停用了用于对URL进行签名的IAM用户凭据(访问密钥/秘密),则使用这两种算法的签名都会立即失效……您应该在某个时候计划这样做,因为轮换凭证被认为是最佳做法(或者,如果不是这样,则是因为您的凭证有一天可能会被泄露,或者被怀疑已经泄露).
Importantly, though, the signature using either algorithm is immediately invalidated if you deactivate the IAM user credentials (access key/secret) that were used to sign the URL... which you should at some point be planning to do, because rotation of credentials is considered a best practice (or, if not that, then because your credentials might one day be compromised, or be suspected of having been compromised).
因此,不应将S3对象的签名URL视为永久URL.
So a signed URL for an S3 object should not be considered permanent.
如果不需要公开对象,那么下一个最佳方法是让您的应用程序(或您控制的任何HTTP端点)验证用户的下载对象的权限(可能基于应用程序的cookie),然后生成一个短暂的签名URL并返回重定向.浏览器应该立即跟随它并获取对象,但不要缓存重定向,因为您已经指出原始URL应该用于后继请求,并带有302响应代码.
If making the object public is not desired, then the next best approach is for your application (or any kind of HTTP endpoint that you control) to validate the user's permission to download the object (perhaps based on your application's cookies), and then generate a short-lived signed URL and return a redirect. The browser should immediately follow it and fetch the object, but not cache the redirect, since you've indicated that the original URL should be used for subsequent requests, with the 302 response code.
应用程序的HTTP响应中值得注意的标头看起来像这样:
The notable headers in the HTTP response from your application would look something like this:
HTTP/1.1 302 Found
Location: https://...generated-signed-url-here...
这篇关于亚马逊s3生成的链接最长的到期时间是多少?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
