aws s3 presign: Generate a Presigned S3 URL in CI
Create a temporary, credential-free URL for an S3 object.
aws s3 presign generates a signed URL that grants time-limited access to an S3 object without requiring AWS credentials. In CI it is handy for sharing a build artifact, report, or coverage file with a downstream system or a pull-request comment.
Common flags
--expires-in- URL lifetime in seconds (default 3600, max 604800)--region- the bucket region (must match for SigV4)s3://bucket/key- the object to sign (positional, required)
Example in CI
Share a build report for 1 hour via a presigned URL.
shell
aws s3 presign s3://${ARTIFACT_BUCKET}/reports/${GITHUB_SHA}.html --expires-in 3600Common errors in CI
- Generated URL returns AccessDenied - object does not exist or signer lacks s3:GetObject
- SignatureDoesNotMatch when opened - wrong --region for the bucket
- Request has expired - URL used after --expires-in elapsed
Key takeaways
- presign builds a signed URL good for up to 7 days (--expires-in max 604800).
- Pass the correct --region or SigV4 signing produces a SignatureDoesNotMatch.
- The URL inherits the signer's permissions - the object must be readable by the role.
Related guides
aws s3 cp: Copy Files to S3 in CIaws s3 cp copies files and directories to and from S3. Learn the recursive, exclude, and ACL flags plus a CI…
aws s3 ls: List S3 Buckets and Objects in CIaws s3 ls lists buckets, prefixes, and objects in S3. Learn the recursive, human-readable, and summarize flag…
aws s3 sync: Sync a Directory to S3 in CIaws s3 sync uploads only changed files to S3, making it ideal for static site deploys in CI. Learn the delete…