当IAM角色密钥旋转时，避免预签名的URL过期 [英] Avoid pre-signed URL expiry when IAM role key rotates

问题描述

在Airflow中，我定义了每天运行的2个任务:

In Airflow I have 2 tasks defined that run every day:

• 第一个创建一个zip文件并将其保存在AWS中的 s3://{bucket-name}/foo/bar/{date}/archive.zip
下
• 第二个会预签名url(应在7天后过期)并将其发送给Slack.

由于Qubole使用IAM角色，因此在旋转键时生成的url将过期(据我所知不到24小时).

Because Qubole uses an IAM role the generated url will expire when the keys are rotated (less than 24 hours as far as I can tell).

我正在为此寻求解决方案.我当前的想法是将第二项任务转移到AWS lambda中，并使用IAM用户凭证来避免到期问题.

I'm trying to find a solution for this. My current idea is moving the second task into an AWS lambda and using IAM user credentials to avoid the expiry issue.

还有其他方法可以使我不复杂吗?

Is there any other approach I could take without over complicating it?

推荐答案

您将需要使用特定的IAM凭据.最佳做法是将IAM用户的权限设置为仅执行所需的操作.

You will need to use specific IAM credentials. Best practice would be be setting the permissions on the IAM user to only do what is required.

这篇关于当IAM角色密钥旋转时，避免预签名的URL过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！