Private URL to Link to S3 Assets Using Cloudfront

[jasonsweis]

Hi, I tried using CLI to create a preassigned URL for an S3 asset, however the maximum expiration date is 7 days. I need the url to be active forever, while the asset stays private (non public). Does anyone have a quick step by step on how to use Cloudfront to do this?

[fviard]

As you have noticed, sadly, pre-signed url are limited to 7 days by aws.
So, nothing that could be done about that even with something else than s3cmd.

As a general rule, cloudfront would be similar to a "public" object, with just dns load balancing.
In your case, in my opinion, there is a very an easy solution:
store your object in a long random folder/base name.
Ex:
s3://mybucket/shared/case1/Fzefpifijs3459DFSL4opBNHJ5023234.FSDF/document.xls

Fzefpifijs3459DFSL4opBNHJ5023234.FSDF is kind of the secret key.
Because, in the end, it will be similar if you share a link like:
shared/case1/document.xls?signature=FsdFDSFG1234
and the previous link.
The only thing to take care is to give the public acl to the objects themselves, and not to the bucket so that no one can list the objects in your bucket and find the secret folder.

Just in case, if you wanted a step by step guide to cloudfront:
https://s3tools.org/kb/item7.htm
https://opsech.io/posts/2015/Nov/02/s3cmd-sync-and-cf-invalidation.html