Why is my presigned URL for an Amazon S3 bucket expiring before the expiration time that I specified?

Resolution

If you created a presigned URL using a temporary token, then the URL expires when the token expires. The URL expires even if the URL was created with a later expiration time.

The credentials that you can use to create a presigned URL include:

• AWS Identity and Access Management (IAM) instance profile: Valid up to six hours.
• AWS Security Token Service (STS): Valid up to 36 hours when signed by an AWS Identity and Access Management (IAM) user, or valid up to one hour when signed by the root user.
• IAM user: Valid up to seven days when using AWS Signature Version 4.

To create a presigned URL that's valid up to seven days, designate IAM user credentials (the access key and secret access key) to your SDK. Then, generate a presigned URL using AWS Signature Version 4. For examples, see Signature calculations in AWS Signature Version 4.

When creating a presigned URL, keep the following points in mind:

• Services that assume a role, such as the AWS Lambda execution role, don't necessarily comply with the role's session duration settings.
• Because presigned URLs grant Amazon S3 bucket access to whoever has the URL, it's a best practice to protect them appropriately.
• If you created a presigned URL using a temporary token, then the URL expires when the token expires. This is true even if the URL was created with a later expiration time.

To allow users access to the objects in your Amazon S3 bucket for longer than seven days, consider using one of these options:

• Amazon CloudFront signed URLs and cookies
• Amazon CloudFront origin access identity (OAI)
• Web identity federation with Amazon Cognito

Related information

Sharing objects using presigned URLs

GetSessionToken

Retrieve security credentials from instance metadata

Authenticating requests: Using query parameters (AWS Signature Version 4)

Boto 3 Docs: S3