"Show complete raw" while we access this page, the s3 URL is generated for Jobs Logs, which is accessible in private window without any credentials for 5 min

“Show complete raw” while we access this page, the s3 URL is generated for Jobs Logs in a raw format, if we copy that url and try to access in private window, the complete Logs we will be able to view without any credentials for 5 min.

Below is the URL while we click on “Show complete raw” under pipeline/jobs

https://bucket-gitlab-artifacts.s3.eu-central-1.amazonaws.com/aa/f5/aaf50xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/2023_04_01/12111958/13925749/job.log?response-content-type=text%2Fplain%3B charset%3Dutf-8&response-content-disposition=inline&X-Amz-Expires=600&X-Amz-Date=20230404T080527Z&X-Amz-Security-Token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAlgorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXXXXXXXXXX%2F20230404%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Below screenshot shows the bucket permission which we have set in s3

below is the configuration which we have set in gitlab.rb file

gitlab_rails['artifacts_object_store_enabled'] = true

gitlab_rails['artifacts_object_store_remote_directory'] = "bucket-gitlab-artifacts"
gitlab_rails['artifacts_object_store_connection'] = {
   'provider' => 'AWS',
   'region' => 'eu-central-1',
   'use_iam_profile' => true

As this url generated is a pre-signed url, is there any way we can request for user credential validation if we try access from private window?
Kindly let us know, how we can avoid this security issue?

@balonik @bleser @rpadovani