I have a question because recently I had to implement a way to expire static assets and I would like to hear creative/new ideas.
For example, I have all my static assets on S3 and I want to generate a link that will make data available for a long time (let's say 1 year) but with S3 signing you can only generate a link available for a week max.
How would you go about doing this without relying on another server?
I think this is what happened with the public bucket. They thought about how to deliver static assets without relying on a server and the only way they found is to make the bucket public.
I actually had to solve this exact problem recently. I set up a lifecycle policy for a known prefix in the bucket, so any item with that prefix is deleted after N amount of time. Then, when a link is requested to a static asset (which is stored at rest with a private ACL), it gets copied into the prefix, with a random name and a public ACL, and the new link gets served to the client.
So far I haven't seen any big drawbacks. It does mean storing the same objects multiple times in S3. But S3 storage is relatively cheap unless you have a huge amount of data. If bandwidth was ever a problem, it would be simple enough to wrap the transient prefix in a CDN.
If you want "clever" ideas, maybe a Lambda that moves off objects of a certain age to a private bucket?
I disagree on what the issue was with their S3 bucket. As these were all public static assets, the real problem was just the ability to bulk enumerate them. As mentioned in the post, the two issues were:
1. ListObjects was enabled
2. The filenames lacked sufficient entropy (debatable in my opinion)
For example, I have all my static assets on S3 and I want to generate a link that will make data available for a long time (let's say 1 year) but with S3 signing you can only generate a link available for a week max.
How would you go about doing this without relying on another server?
I think this is what happened with the public bucket. They thought about how to deliver static assets without relying on a server and the only way they found is to make the bucket public.