CODEWITHSUNDEEP
pythonamazon-s3boto3
morganics
morganics

Reputation: 1249

boto3: generate_presigned_url expiring prematurely

I'm using the following code to generate a signed URL:

client.generate_presigned_url('get_object',
    {'Bucket': client.bucket, 'Key': s3_filename}, ExpiresIn=expiry_seconds, HttpMethod='GET')

This generates a URL that looks something like this:

https://[bucket_name].s3.amazonaws.com/[path]?AWSAccessKeyId=[access-key-id]&Signature=[signature]&Expires=1478646479&x-amz-security-token=[long_token_string]

The 'Expires' timestamp is 4 days in the future (at the time of writing) and yet when clicking on the link, I get the 'Token has expired' XML response. The link does work for a few hours after generation.

Is there anything else that I should be looking at?

Thanks.

Upvotes: 3

Views: 4700

Answers (2)

ICeZer0
ICeZer0

Reputation: 588

If you created a presigned URL using a temporary token, then the URL expires when the token expires. To have a URL valid for up to seven days you need to assign IAM user credentials. Signature Version 4 is a requirement for this to work.

Here is what this looks like in boto3.

import boto3
from botocore.client import Config

s3 = boto3.client('s3',
    config=Config(signature_version='s3v4'),
    region_name = 'us-east-1',
    aws_access_key_id = ‘THE_ID’,
    aws_secret_access_key = ‘THE_KEY’
 )
 response = s3.generate_presigned_url('get_object',
                                     Params={'Bucket': bucket_name,
                                             'Key': ‘key_name’
                                            },
                                     ExpiresIn=expiration
                                    )

Upvotes: 3

John Rotenstein
John Rotenstein

Reputation: 270184

The expiry time of 1478646479 equates to 2016-11-08T23:07:59+00:00, which is in the future, so the expiry time being generated appears correct. (If the clock was wrong on the computer generating the link, this might have been wrong.)

The next thing to check are the permissions associated with the entity (identified by the AWSAccessKeyId) that created the pre-signed URL. In effect, the URL is using the permissions of that entity (eg IAM User, IAM Role, STS credentials) to grant time-limited access to an object. If that entity no longer has permission to access the object, then the pre-signed URL will no longer function.

You can perform tests on pre-signed URLs by using the aws s3 presign command in the AWS Command-Line Interface (CLI).

Upvotes: 3

Related Questions