Why is my presigned URL for an Amazon S3 bucket expiring before the expiration time that I specified?

Last updated: 2021-09-16

I created a presigned URL for an Amazon Simple Storage Service (Amazon S3) bucket using a temporary token. However, the URL expired before the expiration time that I specified. Why did this happen? How can I create a presigned URL that's valid for a longer time?

Resolution

If you created a presigned URL using a temporary token, then the URL expires when the token expires. The URL expires even if the URL was created with a later expiration time.

The credentials that you can use to create a presigned URL include:

  • AWS Identity and Access Management (IAM) instance profile: Valid up to six hours.
  • AWS Security Token Service (STS): Valid up to 36 hours when signed by an IAM user, or valid up to one hour when signed by the root user.
  • IAM user: Valid up to seven days when using AWS Signature Version 4.

To create a presigned URL that's valid up to seven days, designate IAM user credentials (the access key and secret access key) to your SDK. Then, generate a presigned URL using AWS Signature Version 4. For examples, see Signature calculations in AWS Signature Version 4.

To allow users access to the objects in your Amazon S3 bucket for longer than seven days, then consider using one of these options: