aws-sdk-ruby: Aws:STS:Presigner sometimes sets X-Amz-Expires < 900

Describe the bug

After upgrading from 3.173.0 to 3.178.0 of aws-sdk-core, get_caller_identity_presigned_url sometimes sets X-Amz-Expires to a value < 900. A value other than 900 does not work for anything other than S3.

We use these presigned URLs for authn, and the server strictly enforces the value of this parameter for safety.

I believe it is due to this “feature” from aws-sdk-s3 v1.127.0:

Feature - Select minimum expiration time for presigned urls between the expiration time option and the credential expiration time.

I don’t see anything of relevance in the changelog for aws-sdk-core.

Expected Behavior

see above

Current Behavior

see above

Reproduction Steps

Generate a presigned url when role creds will expire in < 15 minutes

Possible Solution

No response

Additional Information/Context

No response

Gem name (‘aws-sdk’, ‘aws-sdk-resources’ or service gems like ‘aws-sdk-s3’) and its version

aws-sdk-core 3.178.0

Environment details (Version of Ruby, OS environment)

n/a

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Comments: 17 (10 by maintainers)

Most upvoted comments

The feature of selecting minimum expiration time is very much intended. Otherwise, there are cases where a pre-signed url with expiration of 900 seconds may not work if the credentials expire any time sooner.

+1
mullermp on Jul 25, 2023
Read more comments on GitHub
← aws-sdk-ruby: AWS::S3::Errors::BadRequest when calling S3Object#exists?
aws-sdk-ruby: DynamoDB #query method returns response with items = nil →