Is X-Amz-Expires
a required header/parameter? Official documentation is inconsistent and uses it in some examples, while not in others.
If it is not required, what is the default expiration value of a signed request? Does it equal to the maximum possible value for X-Amz-Expires
parameter, which is 604800 (seven days)?
The documentation (see above links) talks about X-Amz-Expires
parameter only in context of passing signing parameters in a query string. If X-Amz-Expires
parameter is required, is it only required for passing signing parametes in query string (as opposed to passing them with Authorization header)?
Update:
Introduction to AWS Security Processes paper, on page 17 says
A request must reach AWS within 15 minutes of the time stamp in the request. Otherwise, AWS denies the request.
Now what time stamp are we talking about here? My guess is that it is X-Amz-Date
. If I am correct, then another question crops up:
X-Amz-Date
and X-Amz-Expires
parameters relate to each other? To me it sounds like request expiration algorithm falls back to 15 mins from X-Amz-Date
timestamp, if X-Amz-Expire
is not present.Is
X-Amz-Expires
a required header/parameter?
X-Amz-Expires
is only used with query string authentication, not with the Authorization:
header.
There is no default value with query string authentication. It is a required parameter, and the service will reject a request if X-Amz-Algorithm=AWS4-HMAC-SHA256
is present in the query string but X-Amz-Expires=...
is not.
<Error>
<Code>AuthorizationQueryParametersError</Code>
...
Now what time stamp are we talking about here?
This refers to X-Amz-Date:
when used with the Authorization:
header. Because X-Amz-Date:
is part of the input to the signing algorithm, a change in the date or time also changes the signature. An otherwise-identical request signed 1 second earlier or later has an entirely different signature. AWS essentially allows your server clock to be wrong by up to 15 minutes without breaking your ability to authenticate requests. It is not a fallback or a default. It is a fixed window.
The X-Amz-Date:
of Authorization:
header-based requests is compared by AWS to their system time, which is of course synched to UTC, and the request is rejected out if hand if this value is more than 15 minutes skewed from UTC when the request arrives. No other validation related to authentication occurs prior to the time check.
Validation of Query String authentication expiration involves different logic:
X-Amz-Expires
must not be a value larger than 604800 or smaller than 0; otherwise the request is immediately denied without further processing, including a message similar to the one above.X-Amz-Date
must not be more than 15 minutes in the future, according to the AWS system clock. The error is Request is not yet valid
.X-Amz-Date
must not be more than X-Amz-Expires
number of seconds in the past, relative to the AWS system clock, and no 15 minute tolerance applies. The error is Request has expired
.If any of these conditions occur, no further validation is done on the signature, so these messages will not change depending on the validity of the signature. This is checked first.
Also, the leftmost 8 characters of your X-Amz-Date:
must match the date portion of your Credential
component of the Authorization:
header. The date itself has zero tolerance for discrepancy against the credential (so, when signing, don't read your system time twice, else you risk generating an occasional invalid signature around midnight UTC).
Finally, requests do not expire while in the middle of processing. If you send a request using either signing method that is deemed valid when it arrives but would have expired very soon thereafter, it is always allowed to run to completion -- for example, a large S3 download or an EBS snapshot creation request will not start, then fail to continue, because the expiration timer struck while the request had already started on the AWS side. If the action was authorized when requested, then it continues and succeeds as normal.