What will be the expiry limit for signed URLs generated using lambdas?

Question

I have setup a new lambda function to generate signed URLs for the objects in a private bucket

The URL generation works fine and the generated URL is also accessible. However I am not sure about the exact duration of the URL's expiry

The execution role associated with the lambda function is currently being used to generate the URL and it has `s3:GetObject` action included in the policy statement and the execution role has a maximum session duration of 1 Hour. I have set the expiry duration to `7 days` within the function's code

I am a bit confused here on which duration will take effect for the signed URL. Whether it will be the provided duration of `7 days` or the shot-lived session duration of the lambda execution role?

Answer

It will be 1 hour when using temporary credentials such as the role of the lambda function. It’s recommended if you need up to 7 days is to create an IAM user and have your lambda function use IAM keys under the user to create a pre signed url. 
If you want to set the duration up to a maximum of 7 days.

I think it’s a poor design but the only way it works.

What will be the expiry limit for signed URLs generated using lambdas?

관련 콘텐츠