By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

S3 Presigned URL is valid for 7 days, but the role it's associated with is only 12 hours. Is it possible to make it last the actual stated 7days?

0

Despite creating a pre-signed URL valid for 7 days, it will never last for more than 12 hours because the role token expires. This seems to be a problem a lot of people experience.

Am I missing something? What's the point of having a 7-day expiry on the pre-signed URL?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS IAM Identity Centerpresigned URL
Language
English
asked a year ago1.4K views
1 Answer
3

This is covered in the documentation:

To create a presigned URL that's valid for up to 7 days, first delegate IAM user credentials (the access key and secret key) to the method you're using to create the presigned URL.

If you are going to create an IAM user with long-lived credentials I'd strongly recommend storing those credentials somewhere that you can limit access to (Secrets Manager or Parameter Store are a good start); and scope the credentials down so that they can only perform the S3 operation(s) that the presigned URL will be created for.

AWS
EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
AWS
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
  • Patryk
    a year ago

    So an IAM user is the only way to go about this? Otherwise it's limited to 12 hours?

  • Brettski-AWS EXPERT
    a year ago

    Yes, or whatever shorter time the generating credentials are scoped to.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content