Etherarp
Etherarp

Networking, Security, Linux

Share


Time-limited S3 Uploads

This post will demonstrate some examples of time-limiting S3 uploads by setting bucket lifecycle policies to prune old resources and granting time-limited public access to an object.

Rohan MolloyRohan Molloy

Table of contents

Time-limited S3 Uploads

Store objects on a time-limited basis

In this example, a bucket will be configured to store objects on a time limited basis, deleting them thereafter.

$ s3cmd mb s3://ephemeral-bucket
Bucket 's3://ephemeral-bucket/' created

$ s3cmd expire --expiry-days 7 s3://ephemeral-bucket
Bucket 's3://ephemeral-bucket/': expiration configuration is set.

s3cmd expire is quite dumb and will overwrite existing rules each time it's run. For more sophisticated policies, it's better to use aws s3api and pass the lifecycle policy as JSON. In the below example, daily and weekly lifecycle polices are set for the /daily_folder/ and /weekly_folder/ locations, respectively.

$ cat > /tmp/lifecycle.json << EOF
{
 "Rules": [
 {
  "ID": "$(uuidgen)",
  "Filter": {
    "Prefix": "daily_folder/" 
 }, 
 "Status": "Enabled", 
 "Expiration": {
   "Days": 1
  }
 },
 {
  "ID": "$(uuidgen)",
   "Filter": {
     "Prefix": "weekly_folder/"
 }, 
 "Status": "Enabled", 
 "Expiration": {
   "Days": 7
  }
 }
 ]
}
EOF

$ aws s3api
put-bucket-lifecycle-configuration \
--bucket lifecycle-bucket-example \
--lifecycle-configuration file:///tmp/lifecycle.json

Temporarily share a resource inside an S3 bucket

The s3cmd signurl command generates a URL that provides public access to an existing object. The URL is time-limited and non-guessable.

$ expires=$(date -d 'now + 5 day' +%s)
$ date -d @$expires
Fri Feb 8 21:55:32 NZDT 2019

$ s3cmd put example.html s3://ephemeral-bucket/example.html
upload: '/tmp/example.html' -> 's3://ephemeral-bucket/example.html' [1 of 1]
 12264 of 12264 100% in 0s 39.27 kB/s done

$ s3cmd signurl s3://ephemeral-bucket/example.html "$expires"
http://ephemeral-bucket.s3.amazonaws.com/example.html?AWSAccessKeyId=AKIAJGIWBBUS3MQZDPFA&Expires=1549616132&Signature=A1TBlbZKyEI%2BXqWqgj9p2SOEn5k%3D