Skip to content
Latchkey

aws s3 presign: Generate a Presigned S3 URL in CI

Create a temporary, credential-free URL for an S3 object.

aws s3 presign generates a signed URL that grants time-limited access to an S3 object without requiring AWS credentials. In CI it is handy for sharing a build artifact, report, or coverage file with a downstream system or a pull-request comment.

Common flags

  • --expires-in - URL lifetime in seconds (default 3600, max 604800)
  • --region - the bucket region (must match for SigV4)
  • s3://bucket/key - the object to sign (positional, required)

Example in CI

Share a build report for 1 hour via a presigned URL.

shell
aws s3 presign s3://${ARTIFACT_BUCKET}/reports/${GITHUB_SHA}.html --expires-in 3600

Common errors in CI

  • Generated URL returns AccessDenied - object does not exist or signer lacks s3:GetObject
  • SignatureDoesNotMatch when opened - wrong --region for the bucket
  • Request has expired - URL used after --expires-in elapsed

Key takeaways

  • presign builds a signed URL good for up to 7 days (--expires-in max 604800).
  • Pass the correct --region or SigV4 signing produces a SignatureDoesNotMatch.
  • The URL inherits the signer's permissions - the object must be readable by the role.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →