Why is my presigned URL for an Amazon S3 bucket expiring before the expiration time that I specified?

Last updated: 2020-12-18

I created a presigned URL for an Amazon Simple Storage Service (Amazon S3) bucket using a temporary token, but the URL expired before the expiration time that I specified. Why did this happen? How can I create a presigned URL that's valid for a longer time?

Resolution

If you created a presigned URL using a temporary token, then the URL expires when the token expires, even if the URL was created with a later expiration time.

The credentials that you can use to create a presigned URL include:

  • AWS Identity and Access Management (IAM) instance profile: Valid up to six hours
  • AWS Security Token Service (STS): Valid up to 36 hours when signed with permanent credentials, such as the credentials of the AWS account root user or an IAM user
  • IAM user: Valid up to seven days when using AWS Signature Version 4

To create a presigned URL that's valid for up to seven days, first designate IAM user credentials (the access key and secret access key) to the SDK that you're using. Then, generate a presigned URL using AWS Signature Version 4. For examples, see Signature Calculations in AWS Signature Version 4.