when I am using accesskey and secret key the Amazon S3 signed URL validation is working fine which is 7 days but with IAM role it is expiring soon

Question

Amazon S3 signed URL, when I am using accesskey and secret key the signed URL validation is working fine which is 7 days but with IAM role it is getting expired soon (within 1 day).

I am expecting the similar result with both accesskey and IAM role

Answer 1

An Amazon S3 pre-signed URL is just like a normal URL pointing to an object in Amazon S3, except that it has additional information appended:

• An Access Key to identify the credentials that are authorizing the access
• An expiry period after which the pre-signed URL will not work
• A Signature that validates the above information

The pre-signed URL will use the permissions of the credentials that were used to 'sign' the URL. Thus, if a user who does not have access to an object creates a pre-signed URL, then that pre-signed URL will not grant access.

Similarly, if the pre-signed URL is created by temporary credentials associated with an IAM Role, then the pre-signed URL will not work beyond the validity period of the IAM Role credentials. This is because those underlying credentials are no longer valid, so any pre-signed URLs created by those credentials will not be valid. The pre-signed URL is effectively saying "I am these credentials and I permit access", but if the credentials don't have access then the object can't have access.

Therefore, your options are:

• When Assuming the IAM Role, request a longer validity period. You can specify a DurationSeconds of up to 12 hours. This is, however, less than the 7 days you wanted.
• When generating the pre-signed URL, use permanent credentials that are therefore valid for the desired pre-signed URL expiry period.