AWS S3 Presign Url always expiring at the same time?

Question

I generate a pre sign url to access objects in S3. This url is set to expire after 1 hour. It has been working fine for months, but has all of a sudden stopped working. For every url I create, the expiry for that request is always the same time, see:

<Error>
<Code>AccessDenied</Code>
<Message>Request has expired</Message>
<X-Amz-Expires>3599</X-Amz-Expires>
<Expires>2018-05-27T22:56:29Z</Expires>
<ServerTime>2018-05-28T00:20:17Z</ServerTime>
<RequestId>xxx</RequestId>
<HostId>yyy</HostId>
</Error>

Any help would be great! Thanks!

Answer 1

Signed URLs created with Signature V4 do not expire at the time you generate them plus the expiration. They expire at the time your code claims they were generated, which you can find in the X-Amz-Date field in the URL.

Compare this value to the current time in UTC.

This error suggests the clock on the server generating them is wrong, or, if the clock on that server is not set to UTC, then the time zone on the system clock may be wrong.

Answer 2

A pre-signed URL inherits its permissions from the Access Key used to build the URL.

For example, let's say I have IAM User credentials. The IAM User has an Access Key and Secret Key. I can use those credentials to generate a pre-signed URL.

The pre-signed URL basically says that this particular user is authorizing access to a specific object for a limited period of time.

However, if my authority to access that object is removed, then I cannot generate a pre-signed URL to access the object. (It is merely a time-limited sub-allocation of my permissions.)

Given that your code used to work reliably but now does not, I suggest you should investigate the permissions associated with the credentials used to generate the pre-signed URL.