---
component: provenance-governor
version: "1.7"
slug: provenance-governor/app-config-presigned-access
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/app-config-presigned-access/"
title: "Presigned Access Configuration"
description: "Guide to configuring presigned URL authentication for Develocity Provenance Governor."
keywords:
- "attestation"
- "authentication"
- "access control"
status: current
---
# Presigned Access Configuration
Develocity Provenance Governor supports HMAC-SHA256 presigned URL authentication for `/packages/\**` endpoints. Presigned URLs provide time-limited, credential-free access to package attestation data — ideal for CI/CD pipelines, artifact proxies, and read-only integrations where embedding authorization headers is impractical.
When presigned access is not configured, the feature is completely inert and has no effect on other authentication mechanisms.
## Configuration Properties
| Property | Type | Default | Description |
| --- | --- | --- | --- |
| presigned-access.keys | map | empty | Map of key ID to base64-encoded HMAC secret. Each key must be at least 32 bytes (256 bits) of cryptographically secure random data. |
| presigned-access.active-key-id | string | none | The key ID used when generating new presigned URLs. Must reference a key in the keys map. |
| presigned-access.ttl | duration | PT15M | Time-to-live for generated URLs (ISO 8601 duration format). |
## Generating Keys
Each key must be raw random bytes from a cryptographically secure random number generator (CSPRNG), base64-encoded. Do not use human-readable passwords or passphrases.
```shell
openssl rand -base64 32
```
Store keys in a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager) or a Kubernetes Secret. Never commit keys to source control.
## Single-Key Configuration
The simplest configuration uses one key:
```yaml
presigned-access:
active-key-id: key-1
keys:
key-1: 5fG3pLq9zX+kR2mN8wTjYhVbCdEfAiOuSxWnHlMpJQ0=
```
## Key Rotation
To rotate keys with zero downtime:
1. **Add the new key** to the `keys` map alongside the existing key.
2. **Promote the new key** by updating `active-key-id`.
3. **Remove the old key** after its TTL has elapsed, ensuring no in-flight signed URLs still reference it.
```yaml
presigned-access:
active-key-id: key-2
ttl: PT15M
keys:
key-1: 5fG3pLq9zX+kR2mN8wTjYhVbCdEfAiOuSxWnHlMpJQ0=
key-2: aB7cD9eF1gH3iJ5kL7mN9oP1qR3sT5uV7wX9yZ1aB3c=
```
In this example, `key-2` is used for generating new URLs, while `key-1` remains valid for verifying previously issued URLs until it is removed.
## Query Parameter Convention
A presigned URL includes four query parameters that are validated by Develocity Provenance Governor:
| Parameter | Description |
| --- | --- |
| X-Dpg-Expires | Expiration time as Unix epoch seconds. |
| X-Dpg-KeyId | Identifier of the HMAC key used to sign the URL. |
| X-Dpg-Principal | URN of the identity that authorized access (e.g., urn:basic-identity:ci-bot). |
| X-Dpg-Signature | Base64url-encoded HMAC-SHA256 signature. |
The signature covers the HTTP method, path, expiry, and principal. Additional query parameters (e.g., pagination) may be appended without invalidating the signature.
**Example presigned URL:**
```
GET https://provenance-governor.example.com/packages/maven/com.example/lib/1.0.0
?X-Dpg-Expires=1700000900
&X-Dpg-KeyId=key-1
&X-Dpg-Principal=urn%3Abasic-identity%3Aci-bot
&X-Dpg-Signature=
```
## Security Considerations
* Keys shorter than 32 bytes are rejected at startup.
* Signature comparison uses constant-time comparison to prevent timing attacks.
* The generating principal’s URN appears in query strings and server logs. Avoid using identities that contain PII (e.g., email addresses). Prefer dedicated service accounts such as `ci-bot` or `artifact-proxy`.
* The default 15-minute TTL limits the window of exposure for a leaked URL. Increasing the TTL via `presigned-access.ttl` trades convenience for a larger exposure window.
* Presigned URLs grant `read-attestations` authority only.