Re: How long does the X-Amz-Security-Token last?

Found this content helpful? Log in or sign up to leave a like!

I was testing getting wiki_pages - which gave me 8 part URLs.

I was successful getting the files initially, but then when I retried the same URL later, I got an ExpiredToken. How long does the X-Amz-Security-Token last?

<Error>
<Code>ExpiredToken</Code>
<Message>The provided token has expired.</Message>
:

10 Replies

Author

I think it failed after 10 minutes.

When you first obtain the token, it has an "expires_in" attribute (in seconds) which tells you how long the token is good for. Currently it is an hour typically get 3599 as the response).

Author

There are two tokens. I agree the access_token you get initially has the expires_in: 3599.

This is some other token that doesn't appear until you do get the request object URLs.

The X-Amz-Security-Token != access_token.

X-Amz-Security-Token

The temporary security token that was obtained through a call to AWS Security Token Service (AWS STS).

Author

Updated:

* the URL includes X-Amz-Expires=3599

* from anectdotal experience, it seems to expire in 15 minutes. ( i kept pulling the same URL in one minute intervals)

I found a note on https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/pkg/token/token.go

// The actual token expiration (presigned STS urls are valid for 15 minutes after timestamp in x-amz-date).

Author

Can anyone on the Instructure-side comment on the expiration of the X-Amz-Security-Token?

The API docs also indicate that object URLs are good for 15 minutes, though the wording could be a little clearer:

"In contrast to objects, which have a longer lifetime, pre-signed URLs are valid for a shorter duration, typically 15 minutes."

(I think the word "typically" could be removed from that sentence.)

--Colin

Author

which means the X-Amz-Expires=3599 is useless too.

Author

Is there any reason we can't have pre-signed URLs last 1 hour?

I would definitely not want that; these files contain very sensitive data and the longer the URLs are valid the larger the window is that an attacker could compromise them. We've had no trouble fetching the files before the URLs expire (and I'm fairly certain that you only need to begin the download before the token expires; I don't think it will cut off an in-progress download).

Are you having trouble fetching files before the URLs expire?

--Colin

Author

We did because the data folk were downloading them one at an time and by the time the got to the last parts it had timed out. That’s why I started investigating.

How long does the X-Amz-Security-Token last?

cd2

url

Data Services sends incorrect Content-Type when re...

duplicates in Catalog enrollment table snapshot

Historical data of assessment decision when using ...

Roll Call Attendance / Grades Alert

CD2 - how to identify which users / sections have ...

Minimum roles/permissions required for DAP automat...

Page view vs Participation

Interactions Over Time Admin Analytics Report

Canvas Data 2 Documentation Down?

CD2: Microsoft Sync State (for MS Teams)

You're signed out

How long does the X-Amz-Security-Token last?

Community Help

View our top guides and resources: