I'm working on a Python script that uploads large files and generates presigned URLs for users to download them. I want these URLs to be valid for one week. The content isn't sensitive, but I'd like to avoid making the entire S3 bucket public.
Currently, I can generate these URLs using IAM credentials, but I'm trying to find a way to do this without having to use those credentials. I've considered using CloudFront as an alternative, but that seems more complex and could incur additional costs. Is there a simpler way to achieve this?
3 Answers
If you really want a long-lasting solution without IAM, consider using CloudFront with signed cookies. Unfortunately, building a long-lived presigned URL directly is tough because the session times for roles are usually capped at 12 hours max. Using CloudFront isn't the simplest option, but it might still be your best bet.
You can create a presigned URL that lasts for 7 days, but you'll need to think about how you generate it. Using an IAM user is common for this, unless you want to create a system that regenerates the URL when needed. I’ve set up a Lambda function that creates the presigned URL on demand. This way, users have to request a new link when they need it, ensuring the URL isn't used longer than necessary. It might be a bit of extra work upfront, but it helps manage security effectively.
Exactly! I will definitely look into the Lambda solution.
I get where you're coming from, but going the CloudFront route could actually save you a lot of hassle! With CloudFront, you won't have data transfer fees from S3 to CloudFront, and it caches content globally, reducing requests directly to your S3 bucket. Plus, you'll only pay for what you actually deliver from CloudFront — a potentially cheaper option in the long run!
Yes, I’m aware of that; just wanted to see if I missed anything. Looks like CloudFront may be the way to go.