LinuxCommandLibrary

aws-s3-presign

Generate temporary URLs for S3 object access

TLDR

Generate a pre-signed URL for a specific S3 object that is valid for one hour

$ aws s3 presign s3://[bucket_name]/[path/to/file]
copy

Generate a pre-signed URL valid for a specific lifetime
$ aws s3 presign s3://[bucket_name]/[path/to/file] --expires-in [duration_in_seconds]
copy

Display help
$ aws s3 presign help
copy

SYNOPSIS

aws-s3-presign [--bucket BUCKET] [--key KEY] [--expires-in SECONDS] [--http-method METHOD] [--region REGION] [global options]

PARAMETERS

--bucket
    S3 bucket name (required)

--key
    Object key/path in bucket (required)

--expires-in
    URL validity in seconds (default: 3600)

--http-method
    HTTP method: GET, PUT, POST, DELETE (default: GET)

--region
    AWS region (e.g., us-east-1)

--payload-signing-enabled
    Sign request payload (for PUT/POST)

--service
    Service name (default: s3)

--profile
    AWS profile name

--debug
    Enable debug output

--help
    Show help

DESCRIPTION

The aws-s3-presign command is a standalone utility included with AWS CLI version 2 (v2.7.20+). It generates pre-signed URLs for Amazon S3, allowing temporary, secure access to private objects without sharing AWS credentials.

Presigned URLs embed authentication details valid for a specified duration (default 1 hour), supporting operations like GET, PUT, POST, or DELETE. Ideal for file sharing, browser uploads, or API integrations.

Usage requires configured AWS credentials (via ~/.aws/credentials or environment variables). The tool signs requests using SigV4. Output is a ready-to-use URL, often piped to scripts or curl.

Example: Share a file via aws-s3-presign --bucket mybucket --key file.txt --expires-in 86400, yielding a URL accessible for 24 hours.

Leverages AWS STS for temporary creds in complex setups. Supports region-specific endpoints and custom signing.

CAVEATS

Requires AWS CLI v2.7.20+; credentials must have s3:GetObject/s3:PutObject permissions. Max expiry 7 days for IAM users. Not for public buckets. SigV4-only.

EXAMPLE

GET presign: aws-s3-presign --bucket mybucket --key file.jpg --expires-in 3600
PUT upload: aws-s3-presign --bucket mybucket --key upload.txt --http-method PUT --payload-signing-enabled

OUTPUT

Prints single line: https://mybucket.s3.amazonaws.com/file.txt?X-Amz-... (use with curl -X PUT)

HISTORY

Introduced in AWS CLI v2.7.20 (2022) as a convenience wrapper over aws s3api presign subcommands. Evolved for standalone use, improving scripting efficiency.

SEE ALSO

aws(1), s3cmd(1), curl(1)

Copied to clipboard