s3.getSignedUrl is returning x-amz-security-token and PUTs are failing

Using s3.getSignedUrl with the leanest of parameters to generate a signed PUT URL. Running with serverless-offline generates a signed URL that is successful in PUTting to the bucket. Deploying to AWS and invoking with all the same params returns a signed URL that has an additional x-amz-security-token and the PUT fails with the ever-so-helpful “invalid token” error.

I have confirmed that the execution role has appropriate S3 permissions going as far as to grant * on everything S3 related and configuring the bucket for wide-open public write (obviously to be tightened after this bug is fixed).

Any help would be greatly appreciated as this has sucked up almost 6 hours of my day so far.

NodeJS snippet

      const s3 = new AWS.S3({ signatureVersion: "v4", region });

      const params = {
        Bucket: bucket,
        ACL: "public-read",

      const signedUrl = s3.getSignedUrl("putObject", params);

serverless.yml snippet

    - Effect: 'Allow'
        - 's3:PutObject'
        - 's3:PutObjectAcl'
        - 'arn:aws:s3:::***bucket***'
        - 'arn:aws:s3:::***bucket***/*'

Policy snippet

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:CreateLogStream",
            "Resource": "***log group arn***"
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [