← All posts
2 min read

Create a presigned S3 download URL

#aws#cli#s3#storage#security
📑 On this page

Part 53 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

A presigned URL delegates the signing identity's permission for one object and a limited time. The recipient does not need AWS credentials.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

aws s3 presign \
  "s3://$BUCKET/private/report.pdf" \
  --expires-in 900 \
  --region "$REGION"

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

URL=$(aws s3 presign \
  "s3://$BUCKET/private/report.pdf" \
  --expires-in 900 \
  --region "$REGION")
curl --fail --head "$URL"

A successful HTTP response proves the URL is usable without making the object public.

One tiny variation

aws s3 presign \
  "s3://$BUCKET/private/report.pdf" \
  --expires-in 60 \
  --region "$REGION"

Use the shortest practical expiry for the workflow.

Common mistake

Anyone holding the URL can use it until it expires or the underlying credentials or permission become invalid. Do not print presigned URLs into public logs.

Cleanup

unset URL

There is no presigned URL resource to delete. Remove the object separately if it was created only for the demo.

Next, we will learn Choose a safe presigned URL expiry.

Official AWS CLI reference