AWS S3: Generate a Presigned URL
Generate time-limited presigned URLs for S3 objects using aws s3 presign. Allow temporary access without AWS credentials.
S3 Operations
Detailed Explanation
Generating Presigned URLs for S3 Objects
A presigned URL grants temporary access to a private S3 object without requiring the recipient to have AWS credentials. The URL includes a signature and expiration time embedded in the query string.
Basic Presigned URL
aws s3 presign s3://my-bucket/reports/quarterly-report.pdf
By default, the URL expires in 3600 seconds (1 hour).
Custom Expiration
aws s3 presign s3://my-bucket/files/document.pdf --expires-in 86400
This creates a URL valid for 24 hours (86400 seconds). The maximum expiration depends on the credential type:
- IAM user credentials: up to 7 days (604800 seconds)
- IAM role/STS temporary credentials: up to 12 hours (43200 seconds)
- AWS SSO credentials: up to 12 hours
Example Output
https://my-bucket.s3.amazonaws.com/reports/quarterly-report.pdf
?X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIA.../20240115/us-east-1/s3/aws4_request
&X-Amz-Date=20240115T103000Z
&X-Amz-Expires=3600
&X-Amz-SignedHeaders=host
&X-Amz-Signature=abc123...
Security Considerations
- The URL can be used by anyone who has it — treat it like a temporary password
- The URL inherits the permissions of the IAM identity that created it
- If the IAM credentials are revoked, existing presigned URLs stop working
- Presigned URLs only grant the specific operation (GET by default)
Use with Specific Region
aws s3 presign s3://my-bucket/file.zip \
--expires-in 7200 \
--region eu-west-1
Use Case
Sharing private files with external partners, generating temporary download links for user-facing applications, or providing time-limited access to build artifacts in CI/CD pipelines.