GCS signed_urls only last 7 days

[sww314]

There is relatively recent change in Google that will break signed_urls with an expiration date of more than 7 days in the future.
The default GS_EXPIRATION is 86400 seconds. However in the past there has been no upper limit. Now there is a max of 7 days.

Max value:
GS_EXPIRATION = timedelta(seconds=604800)

https://cloud.google.com/storage/docs/access-control/signed-urls-v2

This is the timestamp (represented as the number of seconds since the Unix Epoch of 00:00:00 UTC on January 1, 1970) when the signature expires. The server rejects any requests received after this timestamp, as well as any requests received after the key used to generate the signed URL is rotated. For security and for compatibility with the V4 signing process, you should set Expires to correspond to at most 1 week (604800 seconds) in the future.

If you generate a url with a longer expiration everything will work fine until 7 days have passed. Then when you try to access the url:

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message>
<StringToSign>GET 1629488504 /BUCKET_NAME/inspection-media/DSC00095.JPG</StringToSign>
</Error>

Related upstream issue:
googleapis/python-storage#456

[jschneier]

Seems they throw further up?