S3 Presigned URL is valid for 7 days, but the role it's associated with is only 12 hours. Is it possible to make it last the actual stated 7days?

0

Despite creating a pre-signed URL valid for 7 days, it will never last for more than 12 hours because the role token expires. This seems to be a problem a lot of people experience.

Am I missing something? What's the point of having a 7-day expiry on the pre-signed URL?

1 Answer
3

This is covered in the documentation:

To create a presigned URL that's valid for up to 7 days, first delegate IAM user credentials (the access key and secret key) to the method you're using to create the presigned URL.

If you are going to create an IAM user with long-lived credentials I'd strongly recommend storing those credentials somewhere that you can limit access to (Secrets Manager or Parameter Store are a good start); and scope the credentials down so that they can only perform the S3 operation(s) that the presigned URL will be created for.

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
AWS
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
  • So an IAM user is the only way to go about this? Otherwise it's limited to 12 hours?

  • Yes, or whatever shorter time the generating credentials are scoped to.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions