Hello, we're building an app for multiple users and would like to avoid anyone that gets the signed URL to access the asset(Same use case as this unsolved forum post: https://support.cloudinary.com/hc/en-us/community/posts/360043417672-Private-Authenticated-Media-still-accessible-to-anyone-with-link)
Here's what I've read:
- Private assets are only accessible with a signed URL https://cloudinary.com/documentation/control_access_to_media#private_media_assets
- Anyone with a signed URL is able to access the file https://support.cloudinary.com/hc/en-us/community/posts/115001874511-Authenticated-or-private-images-still-accessible-to-anyone-with-access-to-the-URL
- Signed URLs are a combination of the transformation + the path + the private-key https://cloudinary.com/documentation/advanced_url_delivery_options#generating_delivery_url_signatures
- As the signed URLs are a combination of those previously noted params, we assume that they do not have an expiration date, is that right? Assuming that, every person that have a signed url, will have access to that asset unless we rotate the api secret?
- As Cloudinary infrastucture seems to use s3, it's possible to implement an expiration time as s3 signed urls?
- If we try the solution of signed_download_url(https://support.cloudinary.com/hc/en-us/articles/202519892-What-s-the-difference-between-the-private-download-url-and-the-signed-download-url-methods), we are not able to apply any transformation?
- Is there another way to achieve the best result to our use case?
Post is closed for comments.