Reputation: 361
AWS S3 signed url - X-Amz-Security-Token expires too early
I am in this situation where I need to have a pre-signed url to live for around a month. And since the signature v4 isn't able to deliver this, I've decided to use the V2 for now.
I have set the expiraten to one month but for some reason it expires after 1 day? (don't know the exact time it expires could be within the same day)
<Code>ExpiredToken</Code>
<Message>The provided token has expired.</Message>
And as I digged further into this, It looked like the issue could be with the X-Amz-Security-Token which expires too early. But I've no idea how to set a value to this header? (couldnt find anything about it)
Setup: Its a lambda function which generates a signed url to fetch a file from the S3. Everything is done through cloudformation. And done with the JavaScript SDK
const s3 = new AWS.S3({
signatureVersion: 'v2',
region: 'eu-west-1'
});
const bucketParam = {
Bucket: 'test-bucket',
Key: 'testFile-1111-2222',
Expires: 2592000
};
Any help would be appreciated
Upvotes: 6
Views: 10346
Answers (2)
Reputation: 1516
The policy "expiration" field cannot be more than 7 days beyond the "x-amz-date" field.
I found no way around this. This seems broken or at least poorly documented. The workaround seems to be to set "x-amz-date" in the future. While not intuitive this seems to be allowed, which enables you to set the expiration further in the future.
Upvotes: 1
Reputation: 887
I believe the IAM role used by Lambda is using temporary credentials, which expire before the link. According to AWS, you need to generate the presigned URL with an IAM user and signatureVersion = 4 for the link to expire after 7 days:
To create a presigned URL that's valid for up to 7 days, first designate IAM user credentials (the access key and secret access key) to the SDK that you're using. Then, generate a presigned URL using AWS Signature Version 4.
See Why is my presigned URL for an Amazon S3 bucket expiring before the expiration time that I specified? for more details
You should try creating an IAM user to generate those URLs, and actually use its credential and assume its role (using STS) in the Lambda function in order to generate the URL. And don't forget to use signatureVersion='s3v4'.
Hope this helps
Upvotes: 6
Related Questions
- AWS S3 pre signed URL without Expiry date
- AWS S3 signed url keep throwing token expiration while trying to retrieve object
- boto3 s3 generate_presigned_url ExpiresIn doesn't work as expected
- S3 Signed Url generated as IAM User don't expire in time
- expired s3 presigned url
- AWS S3 pre-signed URL expires due to short authentication token expiration on Amplify
- AWS S3 presigned URL contains X-Amz-Security-Token
- s3 SignedUrl x-amz-security-token
- S3 Signed Url's expiring before argument passed
- AWS S3 Presign Url always expiring at the same time?