Generate S3 presigned URL using lambda function for 7 days validity

Question

We have a lambda function with an execution role which has s3 access. Maximum session duration we kept with default option of 1 hour for the role. When creating a s3 pre signed URL using this lambda function its observed that its valid for limited time only (less than 7 days). Sample code used from https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getSignedUrl-property

Error observed is expired token issue. We want it to be valid for 7 days. Is it possible to create s3 presigned URL from lambda function with nodejs?

Answer 1

A pre-signed URL is simply a 'normal' URL, with the addition of an Access Key and a Signature .

Amazon S3 will attempt to retrieve the object using the permissions associated with the provided Access Key . It verifies that the Signature matches both the request and the Secret Key associated with the Access Key.

This means that a pre-signed URL only has the same permissions as the underlying Access Key . If the Access Key only has a validity period of 1 hour, then the pre-signed URL will only work for 1 hour (since it is effectively using that Access Key).

To create a long-lived pre-signed URL, you will need to use equally long-lived credentials to generate the pre-signed URL.

By the way, it should be quite rare to need a pre-signed URL that is valid for a long period . A pre-signed URL should be generated as close as possible to when it will actually be used. For example, imagine a Dropbox-like service where a user is shown a list of files and they can click the filename to view the file. This page can be generated with pre-signed URLs as the links, each with a validity of perhaps 5-10 minutes. If the user refreshes the page, then new pre-signed URLs will be generated. There should be very little need to have pre-signed URLs valid for 7 days.