Reputation: 43
S3 Signed Url generated as IAM User don't expire in time
I have a very odd problem that I tried to fix for days with no luck. So I want to provide links to download s3 files to ANY person who clicks the link. I use a Node.js lambda function to generate the code. Here is the code:
const AWS = require('aws-sdk');
exports.handler = async(event) => {
AWS.config.update({
accessKeyId: process.env.accessKeyId,
secretAccessKey: process.env.secretAccessKey,
region: 'eu-central-1',
signatureVersion: 's3v4'
});
const s3 = new AWS.S3();
console.log(AWS.config);
const s3Bucket = event.s3Bucket;
const s3Key = event.s3Key;
const downloadName = encodeURI(event.downloadName);
const expireSeconds = event.expireSeconds;
const url = s3.getSignedUrl('getObject', {
Bucket: s3Bucket,
Key: s3Key,
Expires: parseInt(expireSeconds),
ResponseContentDisposition: `attachment; filename="${downloadName}"`,
});
console.log("Generated downloadLink: " + url);
return {
statusCode: 200,
body: JSON.stringify("Success"),
downloadLink: url
};
Now here is the strangeness:
- with Expires:5 the link will return
Request has expiredafter 5seconds, all good. - with Expires:3600 (1 hour) the link will continue to work even after 3600 seconds. Only when I manually remove a char from the &X-Amz-Security-Token in the link it will return
Request has expiredafter 3600s. When I remove a char before 3600s I getInvalidToken - with Expires:604800 (7 days) the link will stop working after 36 hours and I get a
ExpiredToken(explained here: https://aws.amazon.com/premiumsupport/knowledge-center/presigned-url-s3-bucket-expiration/)
So it seems there is a problem with the credentials and/or AWS SDK config. I log AWS.config after updating with the IAM credentials and it shows the correct accessKeyID. The generated link however shows something else in X-Amz-Credential (not sure if it is supposed to show the IAM key). The IAM User shows "Last Activity: Never" in the IAM dashboard (even tho the AWS.congig loggs its key?).
Does anybody have the slightest idea, how to fix or debug this?
Upvotes: 1
Views: 1522
Answers (1)
Reputation: 43
Ok I found the solution just after posting... First I made sure that const s3 = new AWS.S3() is set after the AWS.config.update (I have updated the code above). Secondly I have to use a private tab to test the links. Otherwise they will work even if expired.
Hope this helps others on their journey.
Upvotes: 1
Related Questions
- AWS S3 pre signed URL without Expiry date
- AWS S3 signed url keep throwing token expiration while trying to retrieve object
- boto3 s3 generate_presigned_url ExpiresIn doesn't work as expected
- AWS S3 signed url - X-Amz-Security-Token expires too early
- AWS S3 pre-signed URL expires due to short authentication token expiration on Amplify
- Best practice to handle aws s3 presigned URL expiration date
- S3 Signed Url's expiring before argument passed
- Signing an S3 URL with a future expiration AND start date
- AWS S3 Presign Url always expiring at the same time?
- setting expiration on s3 signed Url