aws-s3-presign

Generate a pre-signed URL for a specific S3 object that is valid for one hour

$ aws s3 presign s3://[bucket_name]/[path/to/file]

$ aws s3 presign s3://[bucket_name]/[path/to/file] --expires-in [duration_in_seconds]

$ aws s3 presign help

aws s3 presign [--expires-in ]

S3URI
    Required. The S3 URI of the object for which to generate a pre-signed URL. Example:
s3://my-bucket-name/my-object-key.txt

--expires-in
    Optional. The number of seconds the pre-signed URL will remain valid.
The default is 3600 seconds (1 hour). The maximum allowed value is 604800 seconds (7 days).

The aws s3 presign command, part of the AWS Command Line Interface (CLI), is a powerful utility for generating time-limited, authenticated URLs for Amazon S3 objects. This allows users or applications to temporarily access private S3 content without requiring their own AWS credentials. When you create a pre-signed URL, your AWS credentials are used to sign the URL, embedding security information and an expiration time. Anyone with this URL can then perform the action (typically downloading an object) that the URL's creator was authorized to do, for the duration specified. It's an essential tool for controlled sharing, enabling secure, temporary access to specific S3 resources for external parties or temporary integrations without exposing long-term credentials or modifying bucket policies. The command simplifies the process of granting transient access, making it invaluable for scenarios like sharing a private file with a client for a limited period or enabling a web application to fetch a specific asset.

Security Risk: The pre-signed URL grants full access to the S3 object (read, write, or delete, depending on the permissions of the identity used to generate the URL) for its entire duration.
Share these URLs with extreme caution, as anyone possessing the URL can use it.

Expiration: Once the specified expiration time passes, the URL becomes invalid and can no longer be used to access the object.

Permissions: The AWS credentials used to generate the pre-signed URL must have the necessary permissions for the S3 object (e.g., s3:GetObject for downloads). If the generating credentials lack permissions, the URL will not work.

Method Limitation: The aws s3 presign CLI command exclusively generates pre-signed URLs for HTTP GET requests (downloads).
To generate pre-signed URLs for other HTTP methods (e.g., PUT for uploads, DELETE), an AWS SDK (like Boto3 for Python, or the SDK for Java, Node.js, etc.) must be used to specify the desired HTTP method programmatically.

Here are common examples of using the aws s3 presign command:

1. Generate a URL for a file with default expiration (1 hour):
aws s3 presign s3://my-data-bucket/reports/report_2023.pdf

2. Generate a URL for an image file, valid for 10 minutes (600 seconds):
aws s3 presign s3://my-website-assets/images/logo.png --expires-in 600

3. Use the generated URL with curl to download the object:
curl "$(aws s3 presign s3://my-data-bucket/reports/report_2023.pdf)" -o downloaded_report.pdf

The aws s3 presign command is an integral part of the AWS Command Line Interface (CLI), which was first released in 2013, aiming to provide a unified tool for interacting with AWS services from the command line.
The functionality to generate pre-signed URLs has been a core feature for Amazon S3 since its early days, addressing the need for secure, time-limited access to private objects without altering bucket policies or requiring long-term credentials.
The CLI's s3 presign command brought this capability directly to the command line, simplifying its usage for developers and administrators.

aws(1), curl(1), wget(1)