We can sign a URL for S3 using the JS SDK, and set an expiration date:
const params = {Bucket: 'bucket', Key: 'key', Expires: 60};
const url = s3.getSignedUrl('getObject', params);
console.log('The URL is', url); // expires in 60 seconds
Can we also set a date for when the signed request would be valid?
Suppose I want to sign a URL in a way where it won't be valid until tomorrow, and then will be valid for one day. How would I do that? Preferably, with the JS SDK.
S3's pre-signed URLs do not offer this functionality, directly.
CloudFront does support this, if you use a CloudFront signed URL with a custom policy instead.
You can create a CloudFront distribution, and connect it to the bucket with an Origin Access Identity, which allows CloudFront to authenticate itself for accessing the bucket, and then "Restrict viewer access" on the CloudFront distribution so that CloudFront only allows access when a valid signed CloudFront URL is provided. CloudFront signed URLs require a "not after" date, but also support a "not before" date.
You'll need to use CloudFront.Signer.getSignedUrl() but do not supply the url or expires options. Pass only the policy option.
The policy is a JSON string containing values for Resource, DateLessThan (expiration time) and DateGreaterThan (before which, access the URL will be denied). You can optionally pass IpAddress to limit use of this URL to a single IPv4 address or block. IPv6-based restriction isn't supported.
It's a bit of an advanced operation, but see these example policy statements for the expected format. The whitespace shown in the examples does not need to be included in the policy document.
You don't need to follow the instructions for actually signing and escaping the URL because the SDK is handling that part for you... but you'll need to create the JSON policy.