What is the longest expiration time for amazon s3 generated link?

Question

I've tried to set expiration date 2100 year, but it says that it's invalid. Or is it possible to make it permanent somehow?

Answer 1

For URLs signed with S3 Signature Version 2, the time limit appears to be the end of the Unix epoch in 2038, but for Signature Version 4, the limit is 7 days, because the signing keys in V4, themselves, have a maximum validity of 7 days.

If you are unfamiliar with the difference, between V2 and V4, an easy way to differentiate between them is that V2 URLs include &Expires= while V4 URLs use &X-Amz-Expires=.

Importantly, though, the signature using either algorithm is immediately invalidated if you deactivate the IAM user credentials (access key/secret) that were used to sign the URL... which you should at some point be planning to do, because rotation of credentials is considered a best practice (or, if not that, then because your credentials might one day be compromised, or be suspected of having been compromised).

So a signed URL for an S3 object should not be considered permanent.

If making the object public is not desired, then the next best approach is for your application (or any kind of HTTP endpoint that you control) to validate the user's permission to download the object (perhaps based on your application's cookies), and then generate a short-lived signed URL and return a redirect. The browser should immediately follow it and fetch the object, but not cache the redirect, since you've indicated that the original URL should be used for subsequent requests, with the 302 response code.

The notable headers in the HTTP response from your application would look something like this:

HTTP/1.1 302 Found
Location: https://...generated-signed-url-here...