Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Heuristic:Treeverse LakeFS Presigned URL Expiry Tip

From Leeroopedia




Knowledge Sources
Domains Security, Optimization
Last Updated 2026-02-08 10:00 GMT

Overview

Presigned URLs across all storage providers (S3, GCS, Azure) expire after 15 minutes by default, and the presigned UI is disabled by default for security.

Description

lakeFS generates presigned URLs to allow direct client-to-storage access for object uploads and downloads. All three supported cloud providers share the same 15-minute default expiry. The presigned URL feature for the web UI is disabled by default across all providers (`disable_pre_signed_ui = true`), requiring explicit opt-in. This security-first default prevents accidental exposure of storage objects through the browser. Presigned URLs are not supported for the local filesystem blockstore.

Usage

Use this heuristic when configuring presigned URL behavior for production deployments, troubleshooting expired presigned URL errors, or implementing direct-upload workflows via the S3 gateway. If users report URL expiration errors during large file uploads, consider increasing the expiry duration.

The Insight (Rule of Thumb)

  • Action: Configure `blockstore.{s3,gs,azure}.pre_signed_expiry` to match your longest expected upload/download duration.
  • Value: Default is 15 minutes. Increase for large file transfers; reduce for tighter security.
  • Trade-off: Longer expiry means more time for uploads to complete, but also a wider window for URL misuse if leaked. The disabled-by-default UI setting prevents casual browser-based access to presigned URLs.

Reasoning

The 15-minute default balances usability (most file operations complete well within this window) with security (limits the window of potential URL misuse). The UI disabled-by-default setting reflects a security-first approach: presigned URLs bypass lakeFS access controls by going directly to the underlying storage, so they should only be enabled when explicitly needed. Azure operations have a separate 10-minute `try_timeout` that is distinct from presigned URL expiry.

Code Evidence

Presigned expiry constants from `pkg/config/defaults.go:29-37`: 

DefaultBlockstoreS3PreSignedExpiry                = 15 * time.Minute
DefaultBlockstoreGSPreSignedExpiry                = 15 * time.Minute
DefaultBlockstoreAzurePreSignedExpiry             = 15 * time.Minute

DefaultBlockstoreS3DisablePreSignedUI             = true
DefaultBlockstoreGSDisablePreSignedUI             = true
DefaultBlockstoreAzureDisablePreSignedUI          = true

Block adapter default from `pkg/block/adapter.go:63`: 

const DefaultPreSignExpiryDuration = 15 * time.Minute

Azure try timeout (separate from presigned expiry) from `pkg/config/defaults.go:35`: 

DefaultBlockstoreAzureTryTimeout = 10 * time.Minute

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Heuristic:Treeverse_LakeFS_Presigned_URL_Expiry_Tip&oldid=686"