Long-lived S3 presigned links
I have been trying to make long-lived presigned links to S3 resources, and it's been surprisingly awkward.
The longest you can make the links for is one week - 604800 seconds. I would have liked them to be even longer but this is a hard maximum.
First of all, I tried the AWS web console. This warns that the longest time is 12 hours, so that was out.
Then I tried doing it in CloudShell (for simplicity) The links worked, but expired quickly.
<Error>
<Code>ExpiredToken</Code>
<Message>The provided token has expired.</Message>
....
</Error>
They were also very long links
https://s3.eu-west-2.amazonaws.com/bucket-name/path/to/resource?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA2RP.................14%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20250514T194107Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3J................................SdHd1XfnQ%3D%3D&X-Amz-Signature=2a8fc7fadd7...............256
As the documentation says, if the credentials you use to make the link expire (i.e. STS) then this means the link stops working too.
From the docs
Access key IDs beginning with AKIA are long-term access keys for an IAM user or an AWS account root user. Access key IDs beginning with ASIA are temporary credentials access keys that you create using AWS STS operations.The solution is as follows:
Create an IAM user (or use an existing one) with read permissions to S3
Create an access key (or use an existing one) for this user
Put the access key in ~.aws/credentials and give it a profile name
Finally, use the AWS cli to run the command to generate the link.
aws --region eu-west-2 --profile profile-name s3 presign --expires-in=604800 "s3://bucket-name/path/to/resource"
This should generate a link something like the following: (notice the X-Amz-Credential=AKIA... in it)
https://bucket-name.s3.eu-west-2.amazonaws.com/path/to/resource?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2RP6IAHC...................18%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20250518T134720Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=0333466.....................317beee8d
Not the quickest or easiest way to share something in S3 with someone else, but it does work.