I'm experimenting with adding Azure Blob Storage support and noticed that direct serving isn't implemented for S3 yet.
Proposed Implementation:
- Unified Signed URLs: Instead of writing separate SDK code paths for Azure and S3, we can leverage gocloud.dev/blob. A single call to
blob.Bucket.SignedURL(ctx, key, &blob.SignedURLOptions{Method: "GET", Expiry: ttl}) already works for both drivers under the hood (generating SigV4 for S3 and User Delegation SAS for Azure).
- Security Policy Flag: We need to introduce a per-handler
CanDirectServe() policy flag. This ensures we don't accidentally leak artifacts from authenticated upstreams via public presigned URLs.
- Refactor Cache-Hit Accounting: Currently, cache hits are counted on the
io.Copy path. Because issuing a 302 redirect will bypass io.Copy, we need to move the accounting logic higher up so we don't lose those metrics.
- Managed Identities / Workload Identity should work here, as it's supported in
gocloud.dev/blob
I'm experimenting with adding Azure Blob Storage support and noticed that direct serving isn't implemented for S3 yet.
Proposed Implementation:
blob.Bucket.SignedURL(ctx, key, &blob.SignedURLOptions{Method: "GET", Expiry: ttl})already works for both drivers under the hood (generating SigV4 for S3 and User Delegation SAS for Azure).CanDirectServe()policy flag. This ensures we don't accidentally leak artifacts from authenticated upstreams via public presigned URLs.io.Copypath. Because issuing a 302 redirect will bypass io.Copy, we need to move the accounting logic higher up so we don't lose those metrics.gocloud.dev/blob