I know that we can generate a download key for an object with a specific time to expire. But how can I invalidate an already generated key manually?
Imagine I get an acknowledge from a client that successfully downloaded the file, so I want to invalidate the generated key.
It appears that you are referring to a Pre-Signed URL, which grants time-limited access to a private object in Amazon S3.
The pre-signed URL uses credentials from an Access Key that does have permission to access the object. The URL is then signed with a hashed version of the Secret Key to validate the request. It is effectively saying "I approve this request until this timestamp."
There is no way to invalidate a pre-signed URL. However, since the approval is linked to an identity, you can invalidate that identity's permissions to access the object and this will invalidate the pre-signed URL. It's effectively saying "That's great that you authorize the request, but you are no longer authorized to access it yourself, so you can't authorize anybody else, either!"
Example:
User-A has permission to access a private objectUser-A generates a pre-signed URL for the objectUser-A so that they no longer have permission to access the objectThis doesn't necessarily work well for your "download only once" use-case. To do that, you will really need to send requests and downloads via an application rather than relying on Amazon S3 to enforce the "once-only" rule.