Cloud Storage signed URL expiry blocking ERP file uploads for purchase orders

susan_732 · December 25, 2024, 10:20am

Our ERP system generates signed URLs for uploading purchase order attachments to Cloud Storage, but we’re losing files because URLs expire before users complete uploads. The workflow allows users to attach multiple documents (quotes, specifications, contracts) to a PO, but if they take more than 15 minutes, uploads fail with 403 errors.

Current signed URL generation:

url = bucket.blob(filename).generate_signed_url(
    expiration=datetime.timedelta(minutes=15),
    method='PUT'
)

This is causing missing attachments in our purchase order workflow, especially for large files or when users are interrupted. We’ve had complaints from procurement teams about lost work. What’s the right balance between security and usability for signed URL expiration in file upload scenarios?

charles_558 · January 7, 2025, 9:45pm

Have you looked into resumable uploads? They’re specifically designed for this use case. With resumable uploads, even if the connection drops or the user pauses, they can resume from where they left off. The session URL expires after 7 days by default, which is much more forgiving. This would solve both your reliability and timeout issues without compromising security.

rachel_analyst · January 11, 2025, 11:37am

For the purchase order workflow, you might also want to implement client-side upload progress tracking. This way, your ERP UI can detect when an upload is taking too long and proactively request a new signed URL before the current one expires. We do this with a 2-minute warning threshold - if upload isn’t complete with 2 minutes remaining, refresh the URL automatically.

megha_king · January 22, 2025, 1:53am

Here’s a comprehensive solution addressing all three focus areas:

Signed URL Expiration Strategy: Increase expiration to 60-90 minutes for better reliability while maintaining security:

url = bucket.blob(filename).generate_signed_url(
    expiration=datetime.timedelta(minutes=60),
    method='PUT',
    content_type='application/octet-stream'
)

For sensitive environments, implement URL refresh:

# Client requests refresh when 80% of time elapsed
if (elapsed_time / expiration_time) > 0.8:
    new_url = refresh_signed_url(file_id)

File Upload Reliability: Switch to resumable uploads for files >5MB:

from google.cloud import storage

blob = bucket.blob(filename)
with open(local_file, 'rb') as file_obj:
    blob.upload_from_file(
        file_obj,
        size=file_size,
        checksum='md5'
    )

Implement client-side chunked uploads with retry logic for network interruptions. Add upload progress tracking so users know their files are processing.

Purchase Order Workflow Integration:

Generate signed URLs with 60-minute expiration when user opens PO attachment dialog
Store upload session metadata in your ERP database (file_id, expiration, status)
Implement server-side validation after upload completes
Add webhook endpoint to receive Cloud Storage notifications on successful uploads
Display real-time upload status in PO interface
Prevent PO submission if required attachments are missing or uploads pending

For your specific use case with 2-5 files per PO:

Generate all signed URLs upfront when attachment dialog opens
Use 60-minute expiration (plenty of time for multiple uploads)
Implement parallel uploads for better user experience
Add automatic retry for failed uploads
Show clear error messages if URLs expire (with one-click regenerate option)

This approach balances security (URLs still expire, scoped to specific operations) with reliability (enough time for real-world upload scenarios). Monitor actual upload times using Cloud Storage metrics to fine-tune expiration values based on your user patterns.

rachel_analyst · December 30, 2024, 10:03pm

Before extending expiration times, consider your security requirements. Are these URLs being shared or embedded in emails? If so, longer expiration increases exposure window. A better approach might be implementing a token refresh mechanism where your ERP backend can regenerate URLs on demand when the client detects approaching expiration. This gives you both security and reliability.

marie_func · January 6, 2025, 7:51am

The URLs are generated on-demand when users click ‘Attach File’ in the PO form. They’re not shared externally or emailed. Users typically upload 2-5 files per PO, with sizes ranging from 500KB to 50MB. The 15-minute limit seemed reasonable initially, but we didn’t account for users multitasking or network variability.

laura401 · December 27, 2024, 11:19am

15 minutes is quite short for file uploads, especially if users are uploading multiple files or dealing with slow connections. I’d recommend extending to at least 60 minutes for better upload reliability. The security risk is minimal since signed URLs are scoped to specific objects and operations. You could also implement resumable uploads for larger files, which would handle interruptions better than simple PUT requests.

master_solver · January 12, 2025, 12:49am

Another consideration: are you validating file uploads server-side after completion? If URLs expire during upload, you lose the file, but you also need to ensure the PO workflow knows about the failure. Implement webhook callbacks or polling to confirm successful uploads, so your ERP can retry or alert users about missing attachments before the PO is submitted for approval.

Topic		Replies	Views
Cloud Storage signed URL expiry breaks ERP invoice attachments for external customers Google Cloud Platform (GCP) question , compute , storage , erp-integration , gcp-2019 , cloud-storage , signed-urls , url-expiry , customer-access	7	0	July 5, 2025
Pre-signed URL for object storage API expires prematurely during large file uploads Oracle Cloud question , storage , rest-api , object-storage , oci-2019 , multipart-upload , large-files , presigned-url	6	0	July 31, 2025
Audit workflow evidence attachments fail to sync with document control - payload size limit ETQ Reliance question , audit-mgmt , workflow-process , rest-api , document-control , etq-2022 , multipart , file-upload , payload-limit	4	0	March 20, 2025
Cloud Storage REST API upload fails for large files with timeout errors Google Cloud Platform (GCP) question , storage , timeout , rest-api , backup , gcp-2021 , file-upload , cloud-storage , apis	6	0	November 11, 2025
Object Storage performance tuning for ERP large file transfers: multipart upload, throughput, and cost IBM Cloud discussion , storage , networking , throughput , object-storage , ic-2021 , performance-tuning , multipart-upload , file-transfer	7	1	July 2, 2025
Automated invoice processing using Cloud Storage API for ERP document ingestion and workflow acceleration Google Cloud Platform (GCP) use-case , storage , erp-integration , event-driven , gcp-2019 , workflow-automation , cloud-functions , apis , cloud-storage-api	5	0	May 27, 2025
Automated ERP document archival pipeline using Azure Blob Storage lifecycle policies and event-driven processing Microsoft Azure use-case , automation , compliance , database , erp-integration , cost-optimization , retention-policy , lifecycle-management , azure-blob-storage	4	1	November 24, 2025
Vendor invoice attachment upload API fails for large files in accounts payable module Microsoft Dynamics 365 question , api-development , timeout , rest-api , acct-payable , file-upload , d365-10-0-38 , payload-too-large , chunked-upload	3	0	July 19, 2025
Supplier portal mobile app fails to upload large attachments over 10MB Blue Yonder Luminate question , supplier-collab , rest-api , timeout-error , supplier-portal , file-upload , mobile-development , by-2023-1 , http	7	0	January 11, 2025

Cloud Storage signed URL expiry blocking ERP file uploads for purchase orders

Related topics