0

I have an image that I've uploaded to S3 using a presigned url. At first, the image was viewable when...

  1. used in my app's image_tag, or
  2. used in an <img src=""> of any html doc.

...however it was not viewable when copypasted into my browser.

Now that the expiration date has passed, the image is still viewable...but only when requested by my app. Isn't the expiration date supposed to prevent access?

I read somewhere that the expiration date was only supposed to impact file uploading, but responses to this question state otherwise.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
calyxofheld
  • 1,538
  • 3
  • 24
  • 62
  • 1
    What do you mean by "when requested by my app"? Is the app generating a new pre-signed URL? If you look at the URL that is generated by the app, is it different every time (eg in the Signature)? – John Rotenstein Oct 05 '20 at 11:44
  • you're right. i'm using a rails gem called Shrine, and a direct upload node package called Uppy. when files are uploaded to a bucket, the file metadata is inserted into a form, and when i submit, it's saved to my database. i was under the impression that, like, a hardcoded url was saved. after manually checking the `_url`, it appears that the url changes every time. – calyxofheld Oct 05 '20 at 14:23

2 Answers2

2

The expiration is relevant to the URL only not to the object itself. If you upload an object using a pre-signed URL and configure the pre-signed URL with a public-read ACL, the object will be public to anyone. Still, if you upload it with a private ACL configuration, you could only upload this object. To read it, you need to create a new pre-signed URL with the getObject operation. I wrote an article on how to work with pre-signed URLs, it is in nodeJS but I think it could help you. Check out the code snippets.

https://www.altostra.com/blog/aws-s3-presigned-url

Shahar Yakov
  • 418
  • 3
  • 10
1

I think your app itself is requesting a presigned URL from S3 everytime you load the page, so you actually get a new presigned url to view the image.

If you don't specify the expiry date when you are creating the presigned url, then the default expiry will apply. This link has the expiry values.

Anyone with valid security credentials can create a presigned URL. However, in order to successfully access an object, the presigned URL must be created by someone who has permission to perform the operation that the presigned URL is based upon.

The credentials that you can use to create a presigned URL include:

IAM instance profile: Valid up to 6 hours

AWS Security Token Service : Valid up to 36 hours when signed with permanent credentials, such as the credentials of the AWS account root user or an IAM user

IAM user: Valid up to 7 days when using AWS Signature Version 4

To create a presigned URL that's valid for up to 7 days, first designate IAM user credentials (the access key and secret access key) to the SDK that you're using. Then, generate a presigned URL using AWS Signature Version 4.

If you created a presigned URL using a temporary token, then the URL expires when the token expires, even if the URL was created with a later expiration time.

Depending on how you create the Presigned urls, they can be used either for object sharing (e.g. image viewing) or for object uploading to S3. They are different types of URLs as each one has a different set of permissions attached to it, so you can't use the same presigned url for both upload and download. Anyways, in both cases you can define an expiry time for the presigned URL.

Abba
  • 334
  • 5
  • 9