Why is my presigned URL for an Amazon S3 bucket expiring before the expiration time that I specified?

Last updated: 2022-08-11

I created a presigned URL for an Amazon Simple Storage Service (Amazon S3) bucket using a temporary token. However, the URL expired before the expiration time that I specified. Why did this happen? How can I create a presigned URL that's valid for a longer time?

Resolution

If you created a presigned URL using a temporary token, then the URL expires when the token expires. The URL expires even if the URL was created with a later expiration time.

The credentials that you can use to create a presigned URL include:

  • AWS Identity and Access Management (IAM) instance profile: Valid up to six hours.
  • AWS Security Token Service (STS): Valid up to 36 hours when signed by an AWS Identity and Access Management (IAM) user, or valid up to one hour when signed by the root user.
  • IAM user: Valid up to seven days when using AWS Signature Version 4.

    To create a presigned URL that's valid up to seven days, designate IAM user credentials (the access key and secret access key) to your SDK. Then, generate a presigned URL using AWS Signature Version 4. For examples, see Signature calculations in AWS Signature Version 4.

    When creating a presigned URL, keep the following points in mind:

    • Services that assume a role, such as the AWS Lambda execution role, don't necessarily comply with the role's session duration settings.
    • Because presigned URLs grant Amazon S3 bucket access to whoever has the URL, it's a best practice to protect them appropriately.
    • If you created a presigned URL using a temporary token, then the URL expires when the token expires. This is true even if the URL was created with a later expiration time.

    To allow users access to the objects in your Amazon S3 bucket for longer than seven days, consider using one of these options: