亚马逊 s3 生成链接的最长过期时间是多少? [英] What is the longest expiration time for amazon s3 generated link?

问题描述

我尝试将到期日期设置为 2100 年，但它说它无效.或者是否有可能以某种方式使其永久化?

I've tried to set expiration date 2100 year, but it says that it's invalid. Or is it possible to make it permanent somehow?

推荐答案

对于使用 S3 Signature Version 2 签名的 URL，时间限制似乎是 2038 年 Unix epoch 的结束，但对于 Signature Version 4，限制是7 天，因为 V4 中的签名密钥本身最长有效期为 7 天.

For URLs signed with S3 Signature Version 2, the time limit appears to be the end of the Unix epoch in 2038, but for Signature Version 4, the limit is 7 days, because the signing keys in V4, themselves, have a maximum validity of 7 days.

如果您不熟悉 V2 和 V4 之间的区别，区分它们的一个简单方法是 V2 URL 包含 &Expires= 而 V4 URL 使用 &X-Amz-Expires=.

If you are unfamiliar with the difference, between V2 and V4, an easy way to differentiate between them is that V2 URLs include &Expires= while V4 URLs use &X-Amz-Expires=.

但重要的是，如果您停用用于对 URL 进行签名的 IAM 用户凭证(访问密钥/机密)，则使用任一算法的签名都会立即失效……您应该在某个时候计划这样做，因为凭据轮换被认为是最佳实践(或者，如果不是这样，则因为您的凭据可能有一天会被盗用，或被怀疑已被盗用).

Importantly, though, the signature using either algorithm is immediately invalidated if you deactivate the IAM user credentials (access key/secret) that were used to sign the URL... which you should at some point be planning to do, because rotation of credentials is considered a best practice (or, if not that, then because your credentials might one day be compromised, or be suspected of having been compromised).

因此，不应将 S3 对象的签名 URL 视为永久性的.

So a signed URL for an S3 object should not be considered permanent.

如果不希望公开对象，那么下一个最佳方法是让您的应用程序(或您控制的任何类型的 HTTP 端点)验证用户下载对象的权限(可能基于您应用程序的 cookie)，然后生成一个短期签名 URL 并返回一个重定向.浏览器应该立即跟随它并获取对象，但不缓存重定向，因为您已经使用 302 响应代码指示应该将原始 URL 用于后续请求.

If making the object public is not desired, then the next best approach is for your application (or any kind of HTTP endpoint that you control) to validate the user's permission to download the object (perhaps based on your application's cookies), and then generate a short-lived signed URL and return a redirect. The browser should immediately follow it and fetch the object, but not cache the redirect, since you've indicated that the original URL should be used for subsequent requests, with the 302 response code.

来自您的应用程序的 HTTP 响应中值得注意的标头如下所示:

The notable headers in the HTTP response from your application would look something like this:

HTTP/1.1 302 Found
Location: https://...generated-signed-url-here...

这篇关于亚马逊 s3 生成链接的最长过期时间是多少?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！