Skip to content
Latchkey

aws s3 presign: Generate Pre-Signed S3 URLs

aws s3 presign produces a temporary URL that grants time-limited GET access to a private S3 object without exposing credentials.

Pipelines hand a build artifact or report to an external system via a pre-signed link. The catch in CI is that with temporary (STS) credentials the URL cannot outlive the session token.

What it does

aws s3 presign signs a request to an S3 object and prints a URL valid for --expires-in seconds (default 3600, max 604800 for SigV4). Anyone with the URL can GET the object until it expires or the signing credentials expire.

Common usage

Terminal
aws s3 presign s3://my-artifacts/builds/report.html \
  --expires-in 900

Options

FlagWhat it does
s3://bucket/keyObject to presign (positional, required)
--expires-in <seconds>Validity window (default 3600, max 604800)
--region <region>Region for SigV4 signing

In CI

When you authenticate via OIDC role assumption, your credentials are temporary STS tokens. A pre-signed URL signed with them stops working when the session token expires (often well under an hour), even if --expires-in is larger. For a longer-lived link, sign with credentials from a role whose --duration-seconds covers the window, or use long-lived keys scoped to just that object.

Common errors in CI

The presign command itself rarely errors (it does not call S3), but the URL can return errors at fetch time: HTTP 403 with "The provided token has expired" means the STS session behind the signature expired before --expires-in. 403 "SignatureDoesNotMatch" often means a region mismatch between signing and the bucket. 403 "Request has expired" means the window elapsed. "NoSuchKey" means the object does not exist.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →