1

I want to create a s3 presigned url for reading an object in S3 to my clients. My application is running in ECS.

I want to use the ECS Task Role to create the S3 Pre-signed URL using python sdk like this

s3_client.generate_presigned_url('get_object',
                                  Params={'Bucket': bucket_name,
                                  'Key': object_name},
                                   ExpiresIn=expiration)

Question:

If a client receives a presigned url right at the boundary of task role credential rotation wont it stop working ?

This article mentions to use permanent credentials - https://aws.amazon.com/premiumsupport/knowledge-center/presigned-url-s3-bucket-expiration/

If you created a presigned URL using a temporary token, then the URL expires when the token expires, even if the URL was created with a later expiration time.

Is there a way to make sure the presigned url is valid around the credential rotation boundary. I would like to provide atleast 10 mins of validity for the presigned url.

Note: This answer also recommends using IAM user credentials - Avoid pre-signed URL expiry when IAM role key rotates

I am thinking if there is any way ECS can take advantage of the Task Role ?

Saaras
  • 379
  • 5
  • 17

2 Answers2

3

By using the ECS task role alone you are limited to whenever it expires for your signed URL. The credentials by default last 6 hours but you would need to validate the meta-data endpoint to understand how long is left.

An example response from the meta-data endpoint is below, as you can see there's a attribute containing the Expiration value.

{
    "AccessKeyId": "ACCESS_KEY_ID",
    "Expiration": "EXPIRATION_DATE",
    "RoleArn": "TASK_ROLE_ARN",
    "SecretAccessKey": "SECRET_ACCESS_KEY",
    "Token": "SECURITY_TOKEN_STRING"
}

If it must be at least 10 minutes you can do this by creating another role (one that has the permissions) then using STS with assume-role. One of the argument you can pass is duration-seconds which provides upto 12 hours to be specified.

If you do this you can then assume the role and generate the presigned URL, which can be used for the length of the duration-seconds you specified. Your task role would have permissions to assume the role, which would mean you do not require an IAM user.

This only works if you require the link for shorter than 12 hours, otherwise you would have been limited to IAM user.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • @Saaras I think only some of your comment was added? :) – Chris Williams Jul 24 '20 at 07:06
  • I am unable to edit the previous comment. Looks like what i was looking for ! Thanks !! I feel, this is better than maintaining IAM credentials in SSM and taking care of rotating them. Any downsides to this approach ? – Saaras Jul 24 '20 at 07:15
  • Not really, as I said the limitation is upto 12 hours so as long as you don't need it longer than that its all good :) – Chris Williams Jul 24 '20 at 07:21
  • @ChrisWilliams We got the error "The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining." . I think role chaining is actually happening here and AWS is not allowing us to generate the token which is valid than more 1 hour. Am I missing anything. – user27111987 Aug 06 '21 at 11:37
2

If a client receives a presigned url right at the boundary of task role credential rotation wont it stop working

Yes. Pre-signed urls are linked to the IAM entities that created them. Thus, in your case, if you generate the url just before IAM role expires, the url will expire as well. This happens regardless of expiry time of the url itself.

To avoid that, IAM user should be used to generated the pre-signed urls, since IAM user's credentials are permanent, unlike those of IAM roles.

You can also reduce the impact of the role's credentials expire time by increasing it to 12h for example:

enter image description here

Marcin
  • 215,873
  • 14
  • 235
  • 294