I created a presigned URL for an Amazon Simple Storage Service (Amazon S3) bucket using a temporary token, but the URL expired before the expiration time that I specified. Why did this happen? How can I create a presigned URL that's valid for a longer time?

If you created a presigned URL using a temporary token, then the URL expires when the token expires, even if the URL was created with a later expiration time.

The credentials that you can use to create a presigned URL include:

  • AWS Identity and Access Management (IAM) instance profile: Valid up to 6 hours
  • AWS Security Token Service (STS): Valid up to 36 hours when signed with permanent credentials, such as the credentials of the AWS account root user or an IAM user
  • IAM user: Valid up to 7 days when using AWS Signature Version 4

To create a presigned URL that's valid for up to 7 days, first designate IAM user credentials (the access key and secret access key) to the SDK that you're using. Then, generate a presigned URL using AWS Signature Version 4.

For example, follow these steps to create a presigned URL using Boto 3:

1.    Configure your IAM user credentials for use with Boto.

2.    Edit and run the following code snippet to create a presigned URL to use with an S3 object:

import boto3
from botocore.client import Config

# Get the service client with sigv4 configured
s3 = boto3.client('s3', config=Config(signature_version='s3v4'))

# Generate the URL to get 'key-name' from 'bucket-name'
# URL expires in 604800 seconds (seven days)
url = s3.generate_presigned_url(
        'Bucket': 'bucket-name',
        'Key': 'key-name'


Warning: The presigned URL expires prematurely if the IAM user is deleted, or if the access key and secret access key are deactivated.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-08-06