Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Amazon S3 - How to Check if Presigned URL is Expired?

If I have a generated Presigned URL that expired, should I be doing get_headers() (in PHP) to see if a 403 Forbidden error is thrown, otherwise use that same URL? Or is that a bad idea because it's an unnecessary GET request? Should I always just regenerate a new Presigned URL every time? I'm a little confused because there doesn't seem to be much information about this.

like image 364
D-Marc Avatar asked Oct 21 '17 16:10

D-Marc


People also ask

How long is S3 Presigned URL valid for?

In the Amazon S3 console, the maximum expiration time for a presigned URL is 12 hours from the time of creation.

How does S3 Presigned URL works?

Pre-signed URLs are used to provide short-term access to a private object in your S3 bucket. They work by appending an AWS Access Key, expiration time, and Sigv4 signature as query parameters to the S3 object. There are two common use cases when you may want to use them: Simple, occasional sharing of private files.

Does S3 bucket need to be public for Presigned URL?

All objects and buckets are private by default. However, you can use a presigned URL to optionally share objects or allow your customers/users to upload objects to buckets without AWS security credentials or permissions.

Is S3 Presigned URL safe?

There is an access check on the S3 side but that only checks whether the signer entity is allowed to get the file. You can remove that permission but that invalidates all signed URLs. Signed URLs provide secure a way to distribute private content without streaming them through the backend.


2 Answers

On macOS, use date -r 1535416265.

like image 57
mr. fixit Avatar answered Sep 21 '22 05:09

mr. fixit


The URL has the time it expires at.

Signature Version 2

htt ps://bucket.s3.amazonaws.com/foo.txt?AWSAccessKeyId=AKIAABCDEFGHIJK&Expires=1508608760&Signature=xxxxxxxxxxx

Expires gives the time in Unix timestamp (in seconds) and Coordinated Universal Time (UTC) .

$ date -d @1508608760
Sat Oct 21 17:59:20 UTC 2017

You can extract the value and compare it with the current time in UTC [time()], then decide to regenerate or not.


Signature Version 4

htt ps://s3.amazonaws.com/bucket/foo.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256& X-Amz-Expires=3600&X-Amz-Credential=AKIAJRZXXXXXXXXus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20171021T190750Z&X-Amz-Signature=8b84ae9b59e9f8a8d7066ecc39e797c8dc29848abcdef61717

X-Amz-Date gives the UTC time in ISO 8601 format.

You can extract the value, convert it to epoch/UTC and compare it with the current time in UTC [time()], then decide to regenerate or not.

like image 24
helloV Avatar answered Sep 23 '22 05:09

helloV