I have this code for sign s3 urls
private URL generatePreSignedUrl(String s3Key, String s3Bucket, Date expiration, HttpMethod method) {
GeneratePresignedUrlRequest generatePresignedUrlRequest = new GeneratePresignedUrlRequest(s3Bucket, s3Key)
.withMethod(method)
.withExpiration(expiration);
return amazonS3.generatePresignedUrl(generatePresignedUrlRequest);
}
and these properties
spring:
cloud:
aws:
credentials:
sts:
web-identity-token-file: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
cloud:
aws:
region:
static: us-east-1
stack:
auto: false
credentials:
use-default-aws-credentials-chain: true
the function works fine after the service is deployed, but after some time keeps fail with provided token expired I'm using springboot 3 error
it should works fine and sign the urls, but it fail after some time
The AWS S3 presigned url has an expiration time (check the link parameters). By default it is 900 seconds (15 min). You can set the expiration timestamp explicitly
.setExpiration(Date timestamp)however at most for 7 days. That is valid for long term credentials.Using temporary session credentials (e.g. the runtime role for EC2 or container), the signature expires when the session-generated access key expires. By default every hour (as far I know, I may be wrong).
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
If some reasonable long duration is needed, the application can call AssumeRole, where it is possible to specify duration from 1 hour to 12 hours.