Understanding S3 presigned URL

Photo by Scott Graham on Unsplash

What are S3 presigned URLs?

S3 presigned URLs are pre-authenticated URLs granting user access to the objects stored in S3.

Users will inherit the permissions of the person who is generating the presigned URL

Why is it needed?

Temporarily allow user to upload/download objects from S3. eg: premium videos that should be accessible for a stipulated time

Understanding S3 presigned URLs from AWS console

I just uploaded an image onto my S3 bucket and this is not public by default:

Let’s try opening the object via the object URL-

We are getting an access denied error. This is because the object is not public.

Now, let’s try to open it via Object actions.

We are able to open it because this URL is signed with our credentials:

How to generate one?


  1. AWS CLI is installed and configured with your account credentials
  2. We have an S3 bucket which is not public

The following command is to configure the signature version:

# set the proper signature version in order not to get issues when generating URLs for encrypted files

aws configure set default.s3.signature_version s3v4

This command generates a presigned URL, which we can use to distribute the selective content

# add a custom expiration time

aws s3 presign s3://mybucket/myobject — expires-in 300 — region my-region