Search code examples
amazon-web-servicesamazon-s3amazon-ecspre-signed-url

S3 Pre-signed URL generation from ECS using Task role

I want to create a s3 presigned url for reading an object in S3 to my clients. My application is running in ECS.

I want to use the ECS Task Role to create the S3 Pre-signed URL using python sdk like this

s3_client.generate_presigned_url('get_object',
                                  Params={'Bucket': bucket_name,
                                  'Key': object_name},
                                   ExpiresIn=expiration)

Question:

If a client receives a presigned url right at the boundary of task role credential rotation wont it stop working ?

This article mentions to use permanent credentials - https://aws.amazon.com/premiumsupport/knowledge-center/presigned-url-s3-bucket-expiration/

If you created a presigned URL using a temporary token, then the URL expires when the token expires, even if the URL was created with a later expiration time.

Is there a way to make sure the presigned url is valid around the credential rotation boundary. I would like to provide atleast 10 mins of validity for the presigned url.

Note: This answer also recommends using IAM user credentials - Avoid pre-signed URL expiry when IAM role key rotates

I am thinking if there is any way ECS can take advantage of the Task Role ?

Solution

  • By using the ECS task role alone you are limited to whenever it expires for your signed URL. The credentials by default last 6 hours but you would need to validate the meta-data endpoint to understand how long is left.

    An example response from the meta-data endpoint is below, as you can see there's a attribute containing the Expiration value.

    {
    "AccessKeyId": "ACCESS_KEY_ID",
    "Expiration": "EXPIRATION_DATE",
    "RoleArn": "TASK_ROLE_ARN",
    "SecretAccessKey": "SECRET_ACCESS_KEY",
    "Token": "SECURITY_TOKEN_STRING"
}

    If it must be at least 10 minutes you can do this by creating another role (one that has the permissions) then using STS with assume-role. One of the argument you can pass is duration-seconds which provides upto 12 hours to be specified.

    If you do this you can then assume the role and generate the presigned URL, which can be used for the length of the duration-seconds you specified. Your task role would have permissions to assume the role, which would mean you do not require an IAM user.

    This only works if you require the link for shorter than 12 hours, otherwise you would have been limited to IAM user.