1 Answer
- Newest
- Most votes
- Most comments
1
Does AWS have documentation on migrating from the old authentication method to the new one? I've reviewed many sections, but I couldn't find the necessary information.
I conducted an investigation but did not uncover any documentation addressing a similar case.
How can I migrate from the old authentication method to the new one without downtime for the client? For me it's very important, because my clients should have access to private images 24/7.
🤔 A solution that may avoid this downtime would be to use a dual-authentication approach during the migration process.
You can temporarily sign URLs using both the old key pair and the new key group. This can be managed by generating two sets of URLs, one with each method, and using some form of logic in your application to determine which URL to serve based on the validity of the keys.
Things to consider:
- Modify your application logic to generate and handle both types of signed URLs.
- This overlap should exist until you are sure all old URLs have expired and are no longer being accessed by clients.
- Once accesses drop to zero or near zero, and you are outside of the longest expiration window of the old URLs, you can proceed to carefully remove the old key pair trusted signers.
- After you've successfully verified that no old URLs are in use and all new URLs are being signed with the new method, update and simplify your application logic to only use the new key group method.
⚠️ Please note that I haven't attempted this solution previously. This is just an idea that might be effective. Please let me know if it meets your requirements.
Relevant content
- Accepted Answerasked a year ago
- asked 5 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 9 months ago
I'm thinking of changing the TTL (expiration time for URL) to near real-time, for example, 10 seconds. This way, CloudFront would generate a new URL after 10 seconds, freeing me from dependency on the old key generated by the root user. In this case, I would experience minimal downtime of 10 seconds, which is acceptable since implementing an additional authentication mechanism would be more complex. What do you think?