Storage.get() url expires earlier than established

[gzimbron]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Not applicable

Amplify APIs

Storage

Amplify Categories

storage

Environment information

  System:
    OS: macOS 12.0.1
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
    Memory: 158.28 MB / 16.00 GB
    Shell: 5.8 - /bin/zsh
  Binaries:
    Node: 14.18.1 - ~/.nvm/versions/node/v14.18.1/bin/node
    npm: 8.1.1 - ~/.nvm/versions/node/v14.18.1/bin/npm
    Watchman: 4.9.0 - /usr/local/bin/watchman
  Browsers:
    Chrome: 96.0.4664.93
    Safari: 15.1
  npmPackages:
    @sveltejs/adapter-static: ^1.0.0-next.21 => 1.0.0-next.21 
    @sveltejs/kit: v1.0.0-next.201 => 1.0.0-next.201 
    aws-amplify: ^4.3.8 => 4.3.8 
    axios: ^0.24.0 => 0.24.0 (0.21.4)
    firebase: ^9.5.0 => 9.5.0 
    firebase/analytics:  undefined ()
    firebase/app:  undefined ()
    firebase/app-check:  undefined ()
    firebase/auth:  undefined ()
    firebase/auth/cordova:  undefined ()
    firebase/auth/react-native:  undefined ()
    firebase/compat:  undefined ()
    firebase/compat/analytics:  undefined ()
    firebase/compat/app:  undefined ()
    firebase/compat/app-check:  undefined ()
    firebase/compat/auth:  undefined ()
    firebase/compat/database:  undefined ()
    firebase/compat/firestore:  undefined ()
    firebase/compat/functions:  undefined ()
    firebase/compat/messaging:  undefined ()
    firebase/compat/performance:  undefined ()
    firebase/compat/remote-config:  undefined ()
    firebase/compat/storage:  undefined ()
    firebase/database:  undefined ()
    firebase/firestore:  undefined ()
    firebase/firestore/lite:  undefined ()
    firebase/functions:  undefined ()
    firebase/messaging:  undefined ()
    firebase/messaging/sw:  undefined ()
    firebase/performance:  undefined ()
    firebase/remote-config:  undefined ()
    firebase/storage:  undefined ()
    svelte: ^3.44.0 => 3.44.2 
    sveltestrap: ^5.6.3 => 5.6.3 
    ~TODO~:  0.0.1 
  npmGlobalPackages:
    @aws-amplify/cli: 7.6.2
    aws-cli: 0.0.2
    firebase-tools: 9.23.0
    npm: 8.1.1

Describe the bug

When i generate url with Storage.get and I established expiration at 680400, url expires earlier, sometimes in hours

example signed url obtained:

https://viozon-storage-d19ugirv7c9inm182828-dev.s3.us-east-1.amazonaws.com/public/usuarios-1d8b6107-e518-498c-bcf3-459064d80dd1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAVDNEQ3XVMEQSC5DN%2F20211210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211210T151410Z&X-Amz-Expires=604800&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBgaCXVzLWVhc3QtMSJHMEUCIQDi3In6cRrIaWhODHc%2FUj4R9FGZKSVnFfXEc9ZGZgHkPAIgZ05waAr3OckW4nUsXz7rYMqpZ2YZJMw7tYtH9%2BdmQL4qzQQI8P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgwzNTA5MjE3NDM4NTAiDIaCS1ljb06ZcMeE2CqhBHgk5eOfzolDX7hJz4nU8Ddg0ooe%2BMFDB1FrBoOCqhnPv0ITZwyAUQ0QEn2h1Qq9Ic65CHPS2kKWUadXpRmjqjTJz0OgPf7rYjN%2B1pPrISqCLYMyFxTHekhIdNBKMeiT4aAl2cRwhskIOxLLNL%2F89EJ8%2FzcAsC%2FxtMcwSLxA1BBDlgqdkUXYdhZzUYafaBUn33NYZ26yh88Cvzyu3nykM%2F7Bs%2F36GSDjT%2Fu%2F3CGrDzmSHYfdqIkhs%2BQQq9jUHW3u4XPCz2zf%2FqOzek6epFomL4JR8ExTQvP584wQ8SZj8ju6rr4hWkYkx36RoxQcPczw7o9XpY7tu3LPYgeIB4a1hmm9gNocFQ4dIER96%2FiI%2BJwXbg7bpCcHMsD%2Bzx%2BQBQsvXuSIUOhyGkdXMUu3gQdQT%2FvErK0Tc3Arv5d1RPlngF3cJOAlrGLQJdoAcQ%2BmTV%2FVQ4PgClAGZbCW1VV%2FfVAqm1oSc7%2Fzu28nIpK1Dq%2B%2F3uhYUmf4OJjGCM2FhcWWxR6kCr4W9w5cWvC%2BT0Nr7ZC8ep0ijD8pAQkq7jkqux6BzvPbhWdZLFbhOGCEHxF8TXVP%2FApvszd0KcsnPv%2BMjG%2FNyLJU%2F8bWteARwFuPrydfZWLgDGD61nAJ7MeD8jT%2BjeawqYXG9F5BuV%2B43hH5IX%2Bqlu3zpd1S38iUOh2%2FKx9ddQ8cTo7BHuozVfLPLgSehMqwCpHQcKgAupSJxjgCxdmgs4bbMMLdzY0GOoUCcIkfq0OAx0atGe6jnaoSFdWgGtF8i76kA1Zj51CdD1a7AudIPKmsDTA2PegEcwig6EKjRe%2Fp19Ic8Jscb1Lp4E4X%2FW3pQx1od1qMkREVq5pJzlKnIZ034NmbCszXetOk6SkZ8AkddAoxGOIbV1xNkSoBqqUvrFUtJNEIBzRw6Dfl%2F8U9um0fTl%2Fq80T3Q9k5V%2BkWnVuG53d8OV3%2BxH0QJVNoWBAVphIZeGGGI8DvlU8B9XnNdupcNSxZgPFrlki6NqnS3PamlWhaIQ5XU8WuKFu3bat%2BWNx%2F73gwb74SaeoAX47qZ1ZeQjGVM82HM9X%2FdyCqkjQB6GCHwmUVVw72XyZjRssB&X-Amz-Signature=4c467a1da91aa2da513050af0613108b922a3bab086e1ec0cbf999e886a8ade1&X-Amz-SignedHeaders=host&x-amz-user-agent=aws-sdk-js%2F3.6.1%20os%2FmacOS%2F10.15.7%20lang%2Fjs%20md%2Fbrowser%2FChrome_96.0.4664.93%20api%2Fs3%2F3.6.1%20aws-amplify%2F4.3.7_js&x-id=GetObject

Expected behavior

Expected to generate url that expire in 7 days

Reproduction steps

1.- Storage.get the file
2.- save signed url
3.- url expires earlier than established

Code Snippet

imgurl = await Storage.get(imagekey, {
        expires: 60 * 60 * 24 * 7,
 });

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[ErickGHo]

Sounds like the IAM role session expires which causes this. https://aws.amazon.com/premiumsupport/knowledge-center/presigned-url-s3-bucket-expiration/

My idea: Storage.get documentation can be modified to reflect these limits, and if the user really needs access to longer times - then developers can create an IAM user and create a apig+lambda endpoint to generate a longer signed url using the iam user's credentials. Any other feasible solution?

[ahilashsasidharan]

I created a test app using react with the close to the latest packages and was able to reproduce the issue when an authenticated user signs in, uploads a photo, and creates a link as well as when an unauthenticated users does this as well. It seems that the max duration of the link created was 1 hour based on two test uploads and duration of the corresponding links created before they expired. This matches up with the maximum duration of when some AWS STS tokens expire. I've created two docs with my reproduction attempts, results and relevant documentation here:
https://docs.google.com/document/d/1IfjRRGoQ0tNtdvPxvHD9hp5QL3GoyRsNEtTUtE3jgwE/edit?usp=sharing
https://docs.google.com/document/d/1Z03add9Gt_uyrhei20jRUMsSVNbjet7eakXMvjNB0KQ/edit?usp=sharing .

[nadetastic]

Hi @ahilashsasidharan , following up here. As you mentioned, the expiration time of the pre-signed url is dependent on the session and will max out at 1 hour. I've updated the documentation to reflect this and will close out this issue. Thanks!