How to check expiration time of a cached Pre-Signed URL accessKeyId (the signer, not the signature)?

0
votes

I'm working with some cached Pre-Signed URLs for S3 downloads, pretty simple. We have many URLs for each asset and many assets for each request, then to avoid generating so many new Pre-Signed URLs per request we are saving the Pre-Signed URLs while the expiration is far from happening. It works fine most of time but from time to time we receive a 400 Bad Request with "Token expired" error message.

For what I learned:

  • S3 Pre-Signed URLs also carry accessKeyId which is the authentication of the signer.
  • The signer key also has its own expiration time.
  • The Pre-Signed URL can be rejected if the Signer key has expired even if the expiration of the URL itself is not reached.

So the question I have is: how can I check the expiration time of an accessKeyId since my Server can already refreshed its own key (and add to this the uncertainty of Server instances different or not keys) and I no longer have access to AWS.config.credentials.expirationTime?

1
node.jsamazon-web-servicesamazon-s3amazon-iam
AWS Access Keys don't expire - but they can be revoked.John Hanley

1 Answers

1
votes

Unfortunately, I think you're out of luck when looking at the URL itself. I'm sure it's embedded in the x_amz_security_token, but the format of that token is not published (although if you Base64-decode it you'll see some interesting bits of readable text and a lot of binary data).

Instead, I recommend that you ensure that the expiration date for the signed URL is the same as the expiration date of the session that signs it.

The way that you do that is to assume a role on the server, and use the credentials from that role assignment to create the signed URL.

This assumed role just needs to have s3:PutObject permission on the bucket where the upload will go. The assumed role session will have whatever duration you request, starting from the time that you assume the role (unlike your Lambda/EC2 instance/whatever, which only regenerates credentials they expire).