AWS S3 Failure to Retrieve Document Using PreSigned URL : Invalid date (should be seconds since epoch)

Question

We uploaded a document to AWS S3 and generated a pre-signed URL using boto3 with an expiry time of 100 years.

The pre-signed URL we retrieved is http://my_document.s3.amazonaws.com/my_document.htm?Signature=AWS_GENERATED_SIGNATURE&Expires=4732867559&AWSAccessKeyId=MY_ACCESS_KEY

However, when we use the URL to access the document, we receive the following error:

<Error> <Code>AccessDenied</Code> <Message> Invalid date (should be seconds since epoch): 4732867559 </Message> <RequestId>D7F5624326124615</RequestId> <HostId> AWS_HOST_ID </HostId> </Error>

Why is AWS S3 refusing to open a document because of an expiry time value, which it itself allowed us to use to generate the pre-signed URL?

Has anybody here faced a similar issue while integrating with AWS S3 using boto3 ?

https://stackoverflow.com/questions/24014306/aws-s3-pre-signed-url-without-expiry-date — Arun Kamalanathan, Jan 18 '20 at 07:18
@ArunK notice Jarmod's comment in that answer. That's only true for Signature V4. The example above is Sig V2, since it uses `AWSAccessKeyId` instead of `X-Amz-Credential`, as seen in V4. V2 uses the Unix epoch, which ends at 2038-01-19T03:14:08Z. — Michael - sqlbot, Jan 18 '20 at 17:16

score 1 · Accepted Answer · answered Jan 18 '20 at 17:29

Why is AWS S3 refusing to open a document because of an expiry time value, which it itself allowed us to use to generate the pre-signed URL?

S3 didn't allow that. Signed URLs are generated locally, and S3 doesn't see them or know about them (or validate their authenticity or authorization to fetch the specified object) until you actually try to use them.

This is probably best characterized as a bug in boto3... Signature Version 2 expirations are tied to the Unix epoch, which ends 2038-01-19T03:14:08Z (the "Y2.038K bug"). It's unlikely to be fixed at this point since Signature V2 is deprecated.

Theoretically, you could V2-sign a URL that does't expire until mid-January, 2038 but this isn't viable, either, because signed URLs are (re)validated each time they are used. Best practice is to periodically rotate your keys, so the AWS Access Key ID you are using today should not still be valid in 100 years, or even in the 18 years between now and 2038. Once you deactivate those particular credentials, any URLs they signed will no longer be usable.

score 0 · Answer 2 · answered Nov 28 '22 at 11:39

I am adding my experience here,

I also faced the same issue,

case 1: if I generate a presigned url with below request and try to open I get access denied and epoch error

GetPreSignedUrlRequest request = 
    new GetPreSignedUrlRequest {
        BucketName = bucketName,
        Key = objectKey.PrefixRootPathToKey(resourcePath),
        Verb = verb,
        Expires = DateTime.MaxValue
        };

response:

<Error>
  <Code>AccessDenied</Code>
  <Message>Invalid date (should be seconds since epoch): blah</Message>
  <RequestId>blah blah</RequestId>
  <HostId>blah blah</HostId>
</Error>

case 2: if I generate a with relative smaller expiry it works,

GetPreSignedUrlRequest request = 
    new GetPreSignedUrlRequest {
        BucketName = bucketName,
        Key = objectKey.PrefixRootPathToKey(resourcePath),
        Verb = verb,
        Expires = DateTime.UtcNow.AddMinutes(15)
        };

AWS S3 Failure to Retrieve Document Using PreSigned URL : Invalid date (should be seconds since epoch)

2 Answers2