Create a presigned S3 download URL
📑 On this page
Part 53 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.
What we are learning
A presigned URL delegates the signing identity's permission for one object and a limited time. The recipient does not need AWS credentials.
Before you run it
aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.
The command
aws s3 presign \
"s3://$BUCKET/private/report.pdf" \
--expires-in 900 \
--region "$REGION"A successful configuration command may return no output. Treat inspection as a separate required step.
Inspect the result
URL=$(aws s3 presign \
"s3://$BUCKET/private/report.pdf" \
--expires-in 900 \
--region "$REGION")
curl --fail --head "$URL"A successful HTTP response proves the URL is usable without making the object public.
One tiny variation
aws s3 presign \
"s3://$BUCKET/private/report.pdf" \
--expires-in 60 \
--region "$REGION"Use the shortest practical expiry for the workflow.
Common mistake
Anyone holding the URL can use it until it expires or the underlying credentials or permission become invalid. Do not print presigned URLs into public logs.
Cleanup
unset URLThere is no presigned URL resource to delete. Remove the object separately if it was created only for the demo.
Next, we will learn Choose a safe presigned URL expiry.