AWS

RequestExpired - Request Expired

Getting a **RequestExpired** error means your S3 presigned URL or AWS request has passed its expiration time—presigned URLs typically expire after 1 hour (default) or the time you specified, and AWS requests expire if the timestamp is more than 15 minutes old. This client-side error (4xx) happens when AWS validates request timestamps. Most common when S3 presigned URLs expire, but also appears when system clocks are skewed, request timestamps are too old, or expiration times are set too short.

#Common Causes

  • Identity: IAM policy expiration restrictions. Service Control Policy (SCP) enforces shorter expiration times.
  • Network: VPC endpoint request timeout. Clock skew between client and AWS (more than 15 minutes).
  • Limits: Presigned URL expired (default 1 hour, max 7 days for S3). Request timestamp too old (AWS allows 15 minutes clock skew). Expiration time passed. Time-based token expired.

Solutions

  1. 1Step 1: Diagnose - Check presigned URL expiration: Review when URL was generated. Check expiration parameter: aws s3 presign s3://BUCKET/KEY --expires-in 3600. Default is 1 hour (3600 seconds).
  2. 2Step 2: Diagnose - Check system clock: date. Compare with AWS time: aws sts get-caller-identity (if this works, clock is OK). Verify NTP sync: ntpq -p (Linux). Clock skew must be < 15 minutes.
  3. 3Step 3: Diagnose - Check request timestamp: Review X-Amz-Date header in request. Timestamp must be within 15 minutes of AWS server time. Check if request was cached/delayed.
  4. 4Step 4: Fix - Generate new presigned URL: aws s3 presign s3://BUCKET/KEY --expires-in 3600. Increase expiration if needed (max 7 days for S3): aws s3 presign s3://BUCKET/KEY --expires-in 604800.
  5. 5Step 5: Fix - Synchronize system clock: Linux: sudo ntpdate -s time.nist.gov. macOS: sudo sntp -sS time.google.com. Windows: w32tm /resync. Restart AWS CLI after sync.

</>Code Examples

Generate Presigned URLs with Expiration
1#!/bin/bash
2BUCKET_NAME="my-bucket"
3OBJECT_KEY="path/to/file.txt"
4
5# Generate presigned URL (default 1 hour = 3600 seconds)
6echo "=== Generating Presigned URL (1 hour) ==="
7PRESIGNED_URL=$(aws s3 presign s3://${BUCKET_NAME}/${OBJECT_KEY} --expires-in 3600)
8echo "URL: ${PRESIGNED_URL}"
9echo "Expires in: 1 hour"
10
11# Generate with longer expiration (max 7 days for S3 = 604800 seconds)
12echo "\n=== Generating Presigned URL (7 days) ==="
13LONG_URL=$(aws s3 presign s3://${BUCKET_NAME}/${OBJECT_KEY} --expires-in 604800)
14echo "URL: ${LONG_URL}"
15echo "Expires in: 7 days"
16
17# Test URL before expiration
18echo "\n=== Testing URL ==="
19curl -I "${PRESIGNED_URL}" 2>&1 | head -5
Check System Clock and Synchronize
1#!/bin/bash
2# Check system time
3echo "=== System Time ==="
4date
5date -u  # UTC time
6
7# Check NTP synchronization (Linux)
8echo "\n=== NTP Status ==="
9if command -v ntpq &> /dev/null; then
10  ntpq -p
11elif command -v timedatectl &> /dev/null; then
12  timedatectl status
13fi
14
15# Synchronize time (requires sudo)
16echo "\n=== Synchronizing Time ==="
17echo "Linux: sudo ntpdate -s time.nist.gov"
18echo "macOS: sudo sntp -sS time.google.com"
19echo "Windows: w32tm /resync"
20
21# Test AWS time sync
22echo "\n=== Testing AWS Time Sync ==="
23aws sts get-caller-identity 2>&1
24if [ $? -eq 0 ]; then
25  echo "✓ Time appears synchronized (AWS request succeeded)"
26else
27  echo "✗ Time may be skewed (check error above)"
28fi
Regenerate Expired Presigned URLs
1#!/bin/bash
2BUCKET_NAME="my-bucket"
3OBJECT_KEY="path/to/file.txt"
4
5# Function to check if URL is expired
6check_url_expiry() {
7  local url="${1}"
8  # Extract expiration from URL (X-Amz-Expires parameter)
9  # Note: This is a simplified check
10  if echo "${url}" | grep -q "X-Amz-Expires"; then
11    echo "URL has expiration parameter"
12  else
13    echo "Cannot determine expiration from URL"
14  fi
15}
16
17# Generate new presigned URL
18echo "=== Generating New Presigned URL ==="
19NEW_URL=$(aws s3 presign s3://${BUCKET_NAME}/${OBJECT_KEY} --expires-in 3600)
20echo "New URL: ${NEW_URL}"
21
22# Test the new URL
23echo "\n=== Testing New URL ==="
24HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "${NEW_URL}")
25if [ "${HTTP_CODE}" = "200" ] || [ "${HTTP_CODE}" = "403" ]; then
26  echo "URL is valid (HTTP ${HTTP_CODE})"
27  if [ "${HTTP_CODE}" = "403" ]; then
28    echo "Note: 403 may indicate expired URL or access denied"
29  fi
30else
31  echo "URL test returned: HTTP ${HTTP_CODE}"
32fi

Related Errors

SignatureDoesNotMatchAccessDenied

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

RequestExpired - Request Expired | AWS Error Reference | Error Code Reference