Extend s3 pre-signed url expiry


I have a lambda that generates the S3 presigned download URL and send back the presigned URL. These presigned URLs expire after 12 hours, assuming this is due to the expiry of temporary authenticaton tokens (I have set presign expiry to 7 days). Wondering how I can increase this 12 hours to 24 hours. Ref - https://repost.aws/knowledge-center/presigned-url-s3-bucket-expiration

This is how I'm creating the s3 client in go.

    awsSession := session.Must(
                Config:             aws.Config{Region: aws.String("us-west-2")},
                AssumeRoleDuration: sessionExpiry,
    return &s3Client{
        client: s3.New(awsSession),
2 Answers

The presigned URL uses the permissions granted by the credentials that is was created with. So if those credentials expire in (say) two hours and your pre-signed URL is set to 7 days the pre-signed URL will not work after two hours because the credentials have expired.

In this case you will need to have a set of credentials that expire after your pre-signed URL does. One way to do this is to create an IAM user that only has the S3 permissions that you require; store those credentials in ParameterStore; ensure that only the Lambda function can access the credentials; and then use those credentials in your Lambda function to generate the pre-signed URL.

profile picture
answered 14 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions