Is X-Amz-Expires a required header/parameter for requests to AWS?
Is
X-Amz-Expiresa required header/parameter? Official documentation is inconsistent and uses it in some examples, while not in others.If it is not required, what is the default expiration value of a signed request? Does it equal to the maximum possible value for
X-Amz-Expiresparameter, which is 604800 (seven days)?The documentation (see above links) talks about
X-Amz-Expiresparameter only in context of passing signing parameters in a query string. IfX-Amz-Expiresparameter is required, is it only required for passing signing parametes in query string (as opposed to passing them with Authorization header)?
Update:
Introduction to AWS Security Processes paper, on page 17 says
A request must reach AWS within 15 minutes of the time stamp in the request. Otherwise, AWS denies the request.
Now what time stamp are we talking about here? My guess is that it is X-Amz-Date. If I am correct, then another question crops up:
- How do
X-Amz-DateandX-Amz-Expiresparameters relate to each other? To me it sounds like request expiration algorithm falls back to 15 mins fromX-Amz-Datetimestamp, ifX-Amz-Expireis not present.
Answer
Is
X-Amz-Expiresa required header/parameter?
X-Amz-Expires is only used with query string authentication, not with the Authorization: header.
There is no default value with query string authentication. It is a required parameter, and the service will reject a request if X-Amz-Algorithm=AWS4-HMAC-SHA256 is present in the query string but X-Amz-Expires=... is not.
<Error>
<Code>AuthorizationQueryParametersError</Code>
...
Now what time stamp are we talking about here?
This refers to X-Amz-Date: when used with the Authorization: header. Because X-Amz-Date: is part of the input to the signing algorithm, a change in the date or time also changes the signature. An otherwise-identical request signed 1 second earlier or later has an entirely different signature. AWS essentially allows your server clock to be wrong by up to 15 minutes without breaking your ability to authenticate requests. It is not a fallback or a default. It is a fixed window.
The X-Amz-Date: of Authorization: header-based requests is compared by AWS to their system time, which is of course synched to UTC, and the request is rejected out if hand if this value is more than 15 minutes skewed from UTC when the request arrives. No other validation related to authentication occurs prior to the time check.
Validation of Query String authentication expiration involves different logic:
X-Amz-Expiresmust not be a value larger than 604800 or smaller than 0; otherwise the request is immediately denied without further processing, including a message similar to the one above.X-Amz-Datemust not be more than 15 minutes in the future, according to the AWS system clock. The error isRequest is not yet valid.X-Amz-Datemust not be more thanX-Amz-Expiresnumber of seconds in the past, relative to the AWS system clock, and no 15 minute tolerance applies. The error isRequest has expired.
If any of these conditions occur, no further validation is done on the signature, so these messages will not change depending on the validity of the signature. This is checked first.
Also, the leftmost 8 characters of your X-Amz-Date: must match the date portion of your Credential component of the Authorization: header. The date itself has zero tolerance for discrepancy against the credential (so, when signing, don't read your system time twice, else you risk generating an occasional invalid signature around midnight UTC).
Finally, requests do not expire while in the middle of processing. If you send a request using either signing method that is deemed valid when it arrives but would have expired very soon thereafter, it is always allowed to run to completion -- for example, a large S3 download or an EBS snapshot creation request will not start, then fail to continue, because the expiration timer struck while the request had already started on the AWS side. If the action was authorized when requested, then it continues and succeeds as normal.