0

Amazon S3 signed URL, when I am using accesskey and secret key the signed URL validation is working fine which is 7 days but with IAM role it is getting expired soon (within 1 day).

I am expecting the similar result with both accesskey and IAM role

greybeard
  • 2,249
  • 8
  • 30
  • 66
Ankit Rai
  • 3
  • 2

1 Answers1

1

An Amazon S3 pre-signed URL is just like a normal URL pointing to an object in Amazon S3, except that it has additional information appended:

  • An Access Key to identify the credentials that are authorizing the access
  • An expiry period after which the pre-signed URL will not work
  • A Signature that validates the above information

The pre-signed URL will use the permissions of the credentials that were used to 'sign' the URL. Thus, if a user who does not have access to an object creates a pre-signed URL, then that pre-signed URL will not grant access.

Similarly, if the pre-signed URL is created by temporary credentials associated with an IAM Role, then the pre-signed URL will not work beyond the validity period of the IAM Role credentials. This is because those underlying credentials are no longer valid, so any pre-signed URLs created by those credentials will not be valid. The pre-signed URL is effectively saying "I am these credentials and I permit access", but if the credentials don't have access then the object can't have access.

Therefore, your options are:

  • When Assuming the IAM Role, request a longer validity period. You can specify a DurationSeconds of up to 12 hours. This is, however, less than the 7 days you wanted.
  • When generating the pre-signed URL, use permanent credentials that are therefore valid for the desired pre-signed URL expiry period.
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • What if the accesskey I'm using to generate signed urls has a policy attached to it preventing it from being used by certain IP addresses, does this policy apply to the signed urls as well? – Ankit Rai Jun 22 '23 at 08:33
  • Yes. When a pre-signed URL is being used, it is actually using the permissions of the credentials / Access Key that generated the pre-signed URL, as if those credentials were actually being used (because they are!). The "pre-signed" bit is simply a way of approving that specific call. – John Rotenstein Jun 22 '23 at 09:46