https://storagenews.top/tags/token/Recent content in Token on StorageNewsHugoenWed, 17 Jun 2026 00:00:00 +0000https://storagenews.top/posts/single-use-s3-presigned-urls-fix-the-credential-not-the-timer/Wed, 17 Jun 2026 00:00:00 +0000https://storagenews.top/posts/single-use-s3-presigned-urls-fix-the-credential-not-the-timer/<!-- wp:html --> <meta charset="utf-8"> <style> /* Platform CSS v3.0 */ :root { --primary-color: #4285f4; --primary-dark: #0057cc; --success-color: #34a853; --warning-color: #fbbc05; --error-color: #ea4335; --text-primary: #333333; --text-secondary: #666666; --text-light: #888888; --border-color: #e0e0e0; --background-light: #f8f9fa; --background-card: #ffffff; --background-code: #f5f5f5; --spacing-xs: 0.5rem; --spacing-sm: 1rem; --spacing-md: 1.5rem; --spacing-lg: 2rem; --border-radius: 8px; --border-radius-sm: 4px; --box-shadow: 0 2px 8px rgba(0,0,0,0.08); --box-shadow-hover: 0 4px 16px rgba(0,0,0,0.12); } .section-title { color: var(--text-primary); margin: var(--spacing-lg) 0 var(--spacing-sm); font-size: clamp(1.2rem, 3vw, 1.4rem); font-weight: 600; line-height: 1.3; } .subsection-title { color: var(--text-primary); margin: var(--spacing-md) 0 var(--spacing-xs); font-size: clamp(1.1rem, 2.5vw, 1.2rem); font-weight: 600; } .std-text { font-size: 1rem; line-height: 1.6; margin-bottom: var(--spacing-sm); color: var(--text-primary); } .card { border: 1px solid var(--border-color); padding: var(--spacing-sm); background: var(--background-card); border-radius: var(--border-radius); margin-bottom: var(--spacing-md); box-shadow: var(--box-shadow); transition: transform 0.2s ease, box-shadow 0.2s ease; } .card:hover { transform: translateY(-2px); box-shadow: var(--box-shadow-hover); } .emoji-list { font-size: 1rem; line-height: 1.7; margin-bottom: 0.8rem; padding: 0.8rem 0; border-bottom: 1px solid var(--border-color); color: var(--text-primary); } .emoji-list:last-child { border-bottom: none; } .emoji-list strong { color: var(--primary-color); font-weight: 600; } .table-container { width: 100%; overflow-x: auto; margin-bottom: var(--spacing-md); border-radius: var(--border-radius); box-shadow: var(--box-shadow); } .table-container + .table-container { margin-top: 1.5rem; } .data-table { width: 100%; min-width: 600px; border-collapse: collapse; background: white; } .data-table th, .data-table td { padding: var(--spacing-sm); border: 1px solid var(--border-color); font-size: 0.9rem; text-align: left; } .data-table th { background: var(--primary-color); color: white; font-weight: 700; white-space: nowrap; } .data-table td:first-child { font-weight: 700; } .data-table tbody tr:nth-child(even) { background: #f8f9ff; } .data-table tbody tr:nth-child(even) td { background: #f8f9ff !important; } .data-table tbody tr:nth-child(odd) td { background: white !important; } .data-table tr:hover td { background: #e8f0fe !important; } .responsive-img { max-width: 100%; height: auto; border-radius: var(--border-radius); box-shadow: var(--box-shadow); } figure { margin: var(--spacing-lg) auto; text-align: center; width: 100%; max-width: 100%; display: block; } figure img { margin: 0 auto; display: block; max-width: 100%; height: auto; } .img-caption { font-size: 0.9rem; color: var(--text-secondary); text-align: center; margin-top: var(--spacing-xs); font-style: italic; } .responsive-list { padding-left: 1.5rem; margin: var(--spacing-sm) 0; line-height: 1.7; } .responsive-list li { margin-bottom: var(--spacing-xs); padding-left: 0.5rem; } .responsive-list a { color: var(--primary-color); text-decoration: none; font-weight: 600; } .responsive-list a:hover { color: var(--primary-dark); text-decoration: underline; } .callout { display:flex; gap:16px; padding:20px; border-radius:12px; margin:24px 0; border-left:4px solid; } .callout-icon { font-size:24px; flex-shrink:0; } .callout-content { flex:1; } .callout-expert { background:#f0f7ff; border-color:#2563eb; } .callout-info { background:#f0fdf4; border-color:#16a34a; } .callout-warning { background:#fffbeb; border-color:#d97706; } .faq-section { margin: var(--spacing-lg) 0; padding: var(--spacing-lg) 0; border-top: 2px solid var(--border-color); } .faq-section-title { color: var(--text-primary); font-size: clamp(1.2rem, 3vw, 1.4rem); font-weight: 700; margin-bottom: var(--spacing-lg); text-align: center; } .faq-item { background: var(--background-card); border: 1px solid var(--border-color); border-radius: var(--border-radius); margin-bottom: var(--spacing-sm); overflow: hidden; transition: all 0.3s ease; } .faq-item:hover { border-color: var(--primary-color); box-shadow: var(--box-shadow-hover); transform: translateY(-2px); } .faq-question { background: var(--background-light); padding: var(--spacing-sm) var(--spacing-md); cursor: pointer; position: relative; transition: all 0.3s ease; border: none; width: 100%; text-align: left; font-family: inherit; } .faq-question:hover { background: #e8f0fe; } .faq-question-text { color: var(--text-primary); font-size: 1rem; font-weight: 600; line-height: 1.5; margin: 0; padding-right: 2rem; } .faq-answer { max-height: 0; overflow: hidden; transition: max-height 0.4s ease, padding 0.4s ease; padding: 0 var(--spacing-md); } .faq-item.active .faq-answer { max-height: 1000px; padding: 0 var(--spacing-md) var(--spacing-md); } .faq-answer-text { color: var(--text-secondary); font-size: 1rem; line-height: 1.7; margin: var(--spacing-sm) 0 0; } .about-section { background: var(--background-light); border-left: 4px solid var(--primary-color); border-radius: var(--border-radius); padding: var(--spacing-md) var(--spacing-lg); margin: var(--spacing-lg) 0; } .about-section .std-text { color: var(--text-secondary); font-size: 0.95rem; margin-bottom: 0; } .conclusion-section { border-top: 2px solid var(--border-color); padding-top: var(--spacing-lg); margin-top: var(--spacing-lg); } .conclusion-section .std-text { font-size: 1.05rem; line-height: 1.7; } @media (max-width: 768px) { .card { padding: 0.75rem; } .data-table { min-width: 100%; font-size: 0.8rem; } .data-table th, .data-table td { padding: 0.5rem 0.25rem; } .emoji-list { font-size: 0.95rem; } } @media (max-width: 480px) { .section-title { margin: var(--spacing-sm) 0 0.5rem; } .card { padding: 0.5rem; } .data-table th, .data-table td { padding: 0.4rem 0.2rem; font-size: 0.75rem; } } @media (prefers-reduced-motion: reduce) { *, *::before, *::after { animation-duration: 0.01ms !important; transition-duration: 0.01ms !important; } } </style> <!-- wp:html --> <style> /* CSS переменные - обновленная палитра в стиле Rabata.io */ :root { /* Основные цвета (Rabata-inspired) */ --primary-color: #2556BB; --primary-dark: #1a3d8a; --primary-light: rgba(37, 86, 187, 0.85); --accent-cyan: #8FE7F1; --success-color: #0CCB8D; --warning-color: #fbbc05; --error-color: #B82020; /* Текст и фон */ --text-primary: #1B1B1B; --text-secondary: #666666; --text-light: #A4A59F; --background-main: #FFFFF5; --background-card: #ffffff; --background-code: #f5f5f5; --background-light: #f8f9fa; --warning-bg: #fff8f8; /* Границы */ --border-color: #1B1B1B; --border-light: #D4D4D4; --border-radius: 8px; --border-radius-sm: 4px; --border-radius-lg: 40px; /* Отступы */ --spacing-xs: 0.5rem; --spacing-sm: 1rem; --spacing-md: 1.5rem; --spacing-lg: 2rem; --spacing-xl: 3rem; /* Тени (Brutalist style) */ --box-shadow: 3px 3px 0 0 var(--border-color); --box-shadow-hover: 4px 4px 0 0 var(--border-color); --box-shadow-soft: 0 2px 8px rgba(0,0,0,0.08); --box-shadow-soft-hover: 0 4px 16px rgba(0,0,0,0.12); /* Переходы */ --transition-fast: all ease 0.15s; --transition-normal: all ease 0.3s; } /* Основные стили */ .article-marker { background: var(--primary-color); color: var(--background-main); text-align: center; padding: var(--spacing-sm); margin: var(--spacing-lg) 0; font-size: 1rem; font-weight: 700; border-radius: var(--border-radius-sm); border: 2px solid var(--border-color); box-shadow: var(--box-shadow); transition: var(--transition-normal); } .article-marker:hover { background: var(--primary-light); transform: translate(2px, 2px); box-shadow: 1px 1px 0 0 var(--border-color); } .main-title { margin-bottom: var(--spacing-md); font-size: clamp(1.5rem, 4vw, 2rem); font-weight: 700; color: var(--text-primary); line-height: 1.2; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Tektur', sans-serif; } .section-title { color: var(--text-primary); margin: var(--spacing-lg) 0 var(--spacing-sm); font-size: clamp(1.2rem, 3vw, 1.4rem); font-weight: 600; line-height: 1.3; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Tektur', sans-serif; padding-bottom: 0.5rem; border-bottom: 1px solid var(--border-light); } .subsection-title { color: var(--text-primary); margin: var(--spacing-md) 0 var(--spacing-xs); font-size: clamp(1.1rem, 2.5vw, 1.2rem); font-weight: 600; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Tektur', sans-serif; } .std-text { font-size: 1rem; line-height: 1.6; margin-bottom: var(--spacing-sm); color: var(--text-primary); font-family: -apple-system, BlinkMacSystemFont, 'Inter', 'Segoe UI', sans-serif; } /* Улучшенные карточки (Brutalist style) */ .card { border: 1px solid var(--border-color); padding: var(--spacing-md); background: var(--background-card); border-radius: var(--border-radius); margin-bottom: var(--spacing-md); box-shadow: var(--box-shadow); transition: var(--transition-normal); position: relative; } .card:hover { transform: translate(-2px, -2px); box-shadow: var(--box-shadow-hover); } .card::before { content: ''; position: absolute; top: 0; left: 0; right: 0; bottom: 0; border-radius: var(--border-radius); padding: 1px; background: linear-gradient(135deg, var(--primary-color), var(--accent-cyan)); -webkit-mask: linear-gradient(#fff 0 0) content-box, linear-gradient(#fff 0 0); -webkit-mask-composite: xor; mask-composite: exclude; opacity: 0; transition: var(--transition-normal); } .card:hover::before { opacity: 0.1; } .warning-box { border: 2px solid var(--error-color); padding: var(--spacing-md); background: var(--warning-bg); border-radius: var(--border-radius); margin-bottom: var(--spacing-lg); box-shadow: var(--box-shadow); position: relative; } .warning-box::before { content: '⚠️'; position: absolute; top: -12px; left: var(--spacing-md); background: var(--warning-bg); padding: 0 0.5rem; font-size: 1.2rem; } .warning-title { color: var(--error-color); margin-bottom: var(--spacing-xs); margin-top: 0.5rem; font-weight: 700; font-size: 1.1rem; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Tektur', sans-serif; } /* Emoji списки с улучшенными отступами */ .emoji-list { font-size: 1rem; line-height: 1.7; margin-bottom: 0.8rem; padding: 0.8rem 0; border-bottom: 1px solid var(--border-light); color: var(--text-primary); background: transparent; transition: var(--transition-fast); } .emoji-list:hover { background: var(--background-light); padding-left: var(--spacing-xs); border-left: 3px solid var(--primary-color); } .emoji-list:last-child { border-bottom: none; margin-bottom: 0; } .emoji-list strong { color: var(--primary-color); font-weight: 600; } /* Адаптивные таблицы (Brutalist borders) */ .table-container { width: 100%; overflow-x: auto; margin-bottom: var(--spacing-md); border-radius: var(--border-radius); box-shadow: var(--box-shadow); border: 1px solid var(--border-color); } .data-table { width: 100%; min-width: 600px; border-collapse: collapse; background: white; } .data-table th, .data-table td { padding: var(--spacing-sm); border: 1px solid var(--border-color); font-size: 0.9rem; text-align: left; } .data-table th { background: var(--primary-color); color: var(--background-main); font-weight: 700; white-space: nowrap; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Tektur', sans-serif; } .data-table td:first-child { font-weight: 600; font-size: 0.9rem; color: var(--text-primary); } .data-table tbody tr:nth-child(even) { background: #f8f9ff; } .data-table tbody tr:first-child { background: transparent !important; color: inherit !important; } .data-table tbody tr:first-child td { background: transparent !important; color: inherit !important; } .data-table tbody tr:nth-child(even) td { background: #f8f9ff !important; } .data-table tbody tr:nth-child(odd) td { background: white !important; } .data-table tr:hover td { background: #e8f0fe; transition: var(--transition-fast); } .data-table-caption { font-size: 0.9rem; color: var(--text-secondary); text-align: center; margin-top: var(--spacing-xs); font-style: italic; padding: var(--spacing-xs); } /* Улучшенные статус-теги (Brutalist style) */ .status-tag { display: inline-block; padding: 4px 12px; color: white; border-radius: 16px; font-size: 0.75rem; font-weight: 600; text-transform: uppercase; letter-spacing: 0.5px; box-shadow: 2px 2px 0 0 var(--border-color); border: 1px solid var(--border-color); transition: var(--transition-fast); font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Tektur', sans-serif; } .status-tag:hover { transform: translate(1px, 1px); box-shadow: 1px 1px 0 0 var(--border-color); } .status-green { background: linear-gradient(135deg, var(--success-color), #2d8f47); border-color: #2d8f47; } .status-blue { background: linear-gradient(135deg, var(--primary-color), #3367d6); border-color: var(--primary-dark); } .status-yellow { background: linear-gradient(135deg, var(--warning-color), #f9ab00); color: #333; border-color: #f9ab00; } .status-red { background: linear-gradient(135deg, var(--error-color), #d33b2c); border-color: #d33b2c; } /* Адаптивные блоки кода (Brutalist borders) */ .code-block { font-family: 'Courier New', Consolas, Monaco, monospace; font-size: 0.85rem; background: var(--background-code); color: var(--text-primary); padding: var(--spacing-sm); border: 1px solid var(--border-color); border-radius: var(--border-radius); margin-bottom: var(--spacing-md); overflow-x: auto; line-height: 1.5; box-shadow: var(--box-shadow); position: relative; } .code-block::before { content: '</>'; position: absolute; top: -10px; left: var(--spacing-sm); background: var(--background-code); padding: 0 0.5rem; font-size: 0.75rem; color: var(--text-secondary); font-weight: 600; } /* Адаптивные изображения */ .responsive-img { max-width: 100%; height: auto; border-radius: var(--border-radius); box-shadow: var(--box-shadow); border: 1px solid var(--border-light); transition: var(--transition-normal); } .responsive-img:hover { box-shadow: var(--box-shadow-hover); transform: translate(-2px, -2px); } .img-caption { font-size: 0.9rem; color: var(--text-secondary); text-align: center; margin-top: var(--spacing-xs); font-style: italic; padding: var(--spacing-xs); background: var(--background-light); border-radius: var(--border-radius-sm); } /* Адаптивные списки */ .responsive-list { padding-left: 1.5rem; margin: var(--spacing-sm) 0; line-height: 1.7; } .responsive-list li { margin-bottom: var(--spacing-xs); padding-left: 0.5rem; position: relative; } .responsive-list li::marker { color: var(--primary-color); font-weight: 600; } .responsive-list a { color: var(--primary-color); text-decoration: none; font-weight: 600; transition: var(--transition-fast); border-bottom: 1px solid transparent; } .responsive-list a:hover { color: var(--primary-dark); border-bottom-color: var(--primary-color); } /* Медиа-запросы для мобильных устройств */ @media (max-width: 768px) { .article-marker { font-size: 0.9rem; padding: 0.75rem; margin: var(--spacing-sm) 0; } .card, .warning-box { padding: 0.75rem; margin-bottom: var(--spacing-sm); box-shadow: 2px 2px 0 0 var(--border-color); } .card:hover { box-shadow: 1px 1px 0 0 var(--border-color); transform: translate(1px, 1px); } .data-table { min-width: 100%; font-size: 0.8rem; } .data-table th, .data-table td { padding: 0.5rem 0.25rem; } .status-tag { font-size: 0.7rem; padding: 3px 8px; box-shadow: 1px 1px 0 0 var(--border-color); } .code-block { font-size: 0.8rem; padding: 0.75rem; box-shadow: 2px 2px 0 0 var(--border-color); } .emoji-list { font-size: 0.95rem; line-height: 1.6; } .responsive-list { padding-left: 1rem; } .responsive-img { box-shadow: 2px 2px 0 0 var(--border-color); } } @media (max-width: 480px) { .section-title { margin: var(--spacing-sm) 0 0.5rem; font-size: 1.1rem; } .subsection-title { margin: var(--spacing-sm) 0 0.5rem; font-size: 1rem; } .card, .warning-box { padding: 0.5rem; border-radius: var(--border-radius-sm); } .data-table th, .data-table td { padding: 0.4rem 0.2rem; font-size: 0.75rem; } .code-block { font-size: 0.75rem; padding: 0.5rem; } .table-container { box-shadow: 2px 2px 0 0 var(--border-color); } } /* Улучшение доступности */ @media (prefers-reduced-motion: reduce) { .card, .status-tag, .responsive-list a, .article-marker, .responsive-img, .emoji-list { transition: none; } .card:hover, .status-tag:hover, .article-marker:hover, .responsive-img:hover { transform: none; } } /* Дополнительные утилиты в стиле Rabata */ .card-highlight { border-left: 4px solid var(--primary-color); background: linear-gradient(to right, rgba(37, 86, 187, 0.05), transparent); } .text-primary { color: var(--primary-color); } .border-brutal { border: 2px solid var(--border-color); box-shadow: var(--box-shadow); } .border-brutal:hover { box-shadow: var(--box-shadow-hover); transform: translate(-2px, -2px); } </style> <!-- /wp:html --> <style>:root{--text-primary:var(--text,#333333);--background-card:var(--bg-card,#ffffff);--background-light:var(--bg-subtle,#f8f9fa);--background-code:var(--bg-subtle,#f5f5f5);--border-color:var(--border,#e0e0e0)}</style> <!-- /wp:html --> <!-- wp:html --> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "Why use single-use tokens instead of just setting a very short presigned URL expiry?", "acceptedAnswer": { "@type": "Answer", "text": "A short expiry still leaves a bearer credential valid for its whole window, and you cannot revoke it once issued. A single-use token decouples the durable, revocable artifact (the token in DynamoDB) from the disposable one (the URL), so reuse is blocked by a database state change rather than only by a timer you cannot take back." } }, { "@type": "Question", "name": "What actually prevents two simultaneous redemptions of the same token?", "acceptedAnswer": { "@type": "Answer", "text": "A DynamoDB conditional write. The update to mark a token used only commits if the row is still in its expected unused state, so among concurrent requests exactly one succeeds and the rest fail their condition and receive a 403. This is the single mechanism the whole pattern depends on, and it should be covered by a concurrency test." } }, { "@type": "Question", "name": "Does the presigned URL really last 30 seconds in this architecture?", "acceptedAnswer": { "@type": "Answer", "text": "No. The source states the URL expiration is configurable at deployment time and should be very short, but never fixes a number. Thirty seconds is a generic best-practice default from the wider literature, not a property of this solution. Choose the expiry deliberately based on your file sizes and retry needs." } }, { "@type": "Question", "name": "Why can't the system stream the file through Lambda instead of redirecting to S3?", "acceptedAnswer": { "@type": "Answer", "text": "Lambda caps both request and response payloads at 6 MB, so proxying object bytes through the function fails for any real file. The pattern redirects the client straight to S3, usually via an HTTP 302, which keeps the heavy transfer object-to-client and lets the compute layer move only tokens and a URL string." } }, { "@type": "Question", "name": "When is S3 One Zone-IA the right storage class for token-fronted objects?", "acceptedAnswer": { "@type": "Answer", "text": "When the data is regenerable or genuinely non-critical, such as temporary exports or logs. One Zone-IA is about 57% cheaper than Standard at roughly $0.01/GB/month, but it stores a single availability zone, so a zone loss means data loss. A short URL lifetime does not change that, so never use it for data you cannot recreate." } } ] } </script> <!-- /wp:html --> <!-- wp:html --> <style> .faq-section { margin: 24px 0; padding: 24px 0; border-top: 2px solid #e5e7eb; } .faq-section-title { color: #1a1a1a; font-size: clamp(1.2rem, 3vw, 1.4rem); font-weight: 700; margin-bottom: 24px; text-align: center; } .faq-item { background: #fff; border: 1px solid #e5e7eb; border-radius: 8px; margin-bottom: 12px; overflow: hidden; transition: all 0.3s ease; } .faq-item:hover { border-color: #2563eb; box-shadow: 0 4px 6px rgba(0,0,0,0.05); transform: translateY(-2px); } .faq-question { background: #f9fafb; padding: 12px 16px; cursor: pointer; position: relative; transition: all 0.3s ease; border: none; width: 100%; text-align: left; font-family: inherit; display: block; } .faq-question:hover { background: #e8f0fe; } .faq-question-text { color: #1a1a1a; font-size: 1rem; font-weight: 600; line-height: 1.5; margin: 0; padding-right: 2rem; display: inline-block; } .faq-answer { max-height: 0; overflow: hidden; transition: max-height 0.4s ease, padding 0.4s ease; padding: 0 16px; } .faq-item.active .faq-answer { max-height: 1000px; padding: 0 16px 16px; } .faq-answer-text { color: #4b5563; font-size: 1rem; line-height: 1.7; margin: 12px 0 0; } </style> <script> (function() { function initFAQ() { var qs = document.querySelectorAll(".faq-question"); for (var i = 0; i < qs.length; i++) { qs[i].addEventListener("click", function() { var item = this.closest(".faq-item"); var wasActive = item.classList.contains("active"); var allItems = document.querySelectorAll(".faq-item"); for (var j = 0; j < allItems.length; j++) { allItems[j].classList.remove("active"); } if (!wasActive) item.classList.add("active"); this.setAttribute("aria-expanded", String(!wasActive)); }); } } if (document.readyState === "loading") { document.addEventListener("DOMContentLoaded", initFAQ); } else { initFAQ(); } })(); </script> <!-- /wp:html --> <!-- wp:html --> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "The Critical Security Gap Between Standard Presigned URLs and Single-Use Tokens", "description": "The 604,800-second expiration limit on native S3 presigned URLs forces a dangerous trade-off between accessibility and security. Relying on reusable links fo...", "author": { "@type": "Person", "name": "Marcus Chen" }, "datePublished": "2026-06-11T12:04:07.615Z", "url": "https://aws.amazon.com/blogs/storage/implement-single-exchange-tokens-for-short-lived-amazon-s3-presigned-urls-with-terraform/", "inLanguage": "en", "wordCount": 3590, "speakable": { "@type": "SpeakableSpecification", "cssSelector": [ ".article-intro", ".faq-answer" ] }, "about": [ { "@type": "Thing", "name": "single-use token" } ] } </script> <!-- /wp:html --> <!-- wp:paragraph {"className":"std-text"} --> <!-- /wp:paragraph --> <!-- wp:paragraph {"className":"std-text"} --> <p class="std-text">A platform team I reviewed last year had read the AWS guidance correctly and drawn exactly the wrong lesson from it. They knew presigned URLs expire, so they set every download link to the shortest window their retry logic could tolerate and called the access problem solved. Then a support engineer forwarded one of those links into a shared ticket thread to help a customer, the customer&#039;s CDN cached it, and a medical scan stayed pullable by anyone in that thread until the timer ran out.</p>