aws-s3-presign

Generate a pre-signed URL with default 1-hour expiration

$ aws s3 presign s3://[bucket-name]/[file.txt]

$ aws s3 presign s3://[bucket-name]/[file.txt] --expires-in 604800

$ aws s3 presign s3://[bucket-name]/[file.txt] --expires-in 300

$ aws s3 presign s3://[bucket-name]/[file.txt] --region [us-west-2]

aws s3 presign S3Uri [--expires-in value] [options]

aws s3 presign generates a pre-signed URL for an Amazon S3 object. Anyone with the pre-signed URL can retrieve the S3 object using an HTTP GET request without AWS credentials.
Pre-signed URLs are useful for sharing private S3 objects temporarily, embedding download links in applications, or providing time-limited access to files. All pre-signed URLs use Signature Version 4 (SigV4) authentication.

S3Uri

The S3 URI of the object to generate a pre-signed URL for (s3://bucket-name/key)

Number of seconds until the pre-signed URL expires (default: 3600, maximum: 604800)

The AWS region of the bucket (required for SigV4; overrides config/env settings)

The maximum expiration time is 604800 seconds (7 days). The region must be configured explicitly since all pre-signed URLs use SigV4 authentication. Pre-signed URLs grant read-only access; they cannot be used to upload or modify objects. The URL expires based on the credentials used to sign it; if using temporary credentials (STS), the URL cannot outlive those credentials.

aws-s3(1), aws-s3-cp(1), aws-s3api(1)