stackoom
  简体   繁体   中英

AWS S3 Failure to Retrieve Document Using PreSigned URL : Invalid date (should be seconds since epoch)

 原文  2020-01-18 06:20:04       amazon-web-services/ amazon-s3/ boto3/ pre-signed-url

Question

We uploaded a document to AWS S3 and generated a pre-signed URL using boto3 with an expiry time of 100 years.

The pre-signed URL we retrieved is http://my_document.s3.amazonaws.com/my_document.htm?Signature=AWS_GENERATED_SIGNATURE&Expires=4732867559&AWSAccessKeyId=MY_ACCESS_KEY

However, when we use the URL to access the document, we receive the following error:

<Error> <Code>AccessDenied</Code> <Message> Invalid date (should be seconds since epoch): 4732867559 </Message> <RequestId>D7F5624326124615</RequestId> <HostId> AWS_HOST_ID </HostId> </Error>

Why is AWS S3 refusing to open a document because of an expiry time value, which it itself allowed us to use to generate the pre-signed URL?

Has anybody here faced a similar issue while integrating with AWS S3 using boto3?

2 answers

solution1
 1 ACCPTED  2020-01-18 17:29:30

Why is AWS S3 refusing to open a document because of an expiry time value, which it itself allowed us to use to generate the pre-signed URL?

S3 didn't allow that. Signed URLs are generated locally, and S3 doesn't see them or know about them (or validate their authenticity or authorization to fetch the specified object) until you actually try to use them.

This is probably best characterized as a bug in boto3... Signature Version 2 expirations are tied to the Unix epoch, which ends 2038-01-19T03:14:08Z (the "Y2.038K bug"). It's unlikely to be fixed at this point since Signature V2 is deprecated .

Theoretically, you could V2-sign a URL that does't expire until mid-January, 2038 but this isn't viable, either, because signed URLs are (re)validated each time they are used. Best practice is to periodically rotate your keys, so the AWS Access Key ID you are using today should not still be valid in 100 years, or even in the 18 years between now and 2038. Once you deactivate those particular credentials, any URLs they signed will no longer be usable.

solution2
 0  2022-11-28 11:39:31

I am adding my experience here,

I also faced the same issue,

case 1: if I generate a presigned url with below request and try to open I get access denied and epoch error

GetPreSignedUrlRequest request = 
    new GetPreSignedUrlRequest {
        BucketName = bucketName,
        Key = objectKey.PrefixRootPathToKey(resourcePath),
        Verb = verb,
        Expires = DateTime.MaxValue
        };

response:

<Error>
  <Code>AccessDenied</Code>
  <Message>Invalid date (should be seconds since epoch): blah</Message>
  <RequestId>blah blah</RequestId>
  <HostId>blah blah</HostId>
</Error>

case 2: if I generate a with relative smaller expiry it works,

GetPreSignedUrlRequest request = 
    new GetPreSignedUrlRequest {
        BucketName = bucketName,
        Key = objectKey.PrefixRootPathToKey(resourcePath),
        Verb = verb,
        Expires = DateTime.UtcNow.AddMinutes(15)
        };

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Best practice to handle aws s3 presigned URL expiration date AWS Lambda create presigned URL for S3 using invoked credentials AWS S3 presigned url issue with asterisk Fetching AWS S3 Object using Presigned URL "SignatureDoesNotMatch" S3 AWS - generating presigned url in R Invalid Certification with Amazon S3 Presigned URL AWS S3 Bucket Presigned url issue Heroku Postgres: AWS s3 presigned URL not working AWS S3 presigned url upload returns 200 but the file is not in the bucket using NodeJS & node-fetch How to upload an object using presigned URL along with tags in s3 aws-sdk-ruby v3
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM