S3: ExpiredToken error for S3 pre-signed url within expiry period

Question

This is how I am generating pre-signed url for an S3 object from my python script.

s3client = boto3.client("s3")
url = s3client.generate_presigned_url("get_object", Params={"Bucket": args.bucket, "Key": dated_filename}, ExpiresIn=86400)

where I am giving an expiry of 24 hours.

When I try to download the file immediately using the url from a browser, it works. But it doesn't work if I try to download it, say after 10-12 hours (I don't know the exact time after which it starts failing).

This is the error I am getting.

<Code>ExpiredToken</Code>
<Message>The provided token has expired.</Message>

Not sure if it is a bug or I am not doing it the right way. Any help would be appreciated.

Answer 1

It is all about the AWS credentials that you are using see https://aws.amazon.com/premiumsupport/knowledge-center/presigned-url-s3-bucket-expiration/

Answer 2

Are you running under an IAM role? A presigned URL is only valid as long as the session key that was used when generating it. If you are authenticating as an IAM user with long-lived access keys, this is not a problem. But IAM roles use temporary access keys that cycle every 36 hours.

You know your session key has expired because you are getting the "The provided token has expired." error, which (as noted above) is a different error message than "Request has expired " which you get when the presigned URL reached its expiration date.

Also, presigned URLs have a hard limit of 7 days - but that doesn't seem to be your problem.