I’m been working with AWS for 8+ years now and this is the first time I’ve come across the need to use pre-sign URL’s for sharing files. The first thing I did was hit up a colleague and he sent me a CLI command for it. I thought, sweet, this should be easy. But before I jump to the CLI, I thought why can’t I go into the console and click a button for a PreSigned URL.

As it turns out the feature is only available using the CLI or API. I think I might have to request the feature request.

Next, I searched for documentation and when I mean I searched, I Googled it. I think the first page didn’t contain a “how to” but I did come across the AWS Documentation.


The last one is what I wanted, “Using AWS CLI”.

Ok, so the documentation seemed straight forward.

Let me document the process but I’ll also follow up with a video.

  1. Open up a terminal
  2. Type: aws configure (to make sure you have access/secret key configured, if not, don’t worry we will go through the process)
  3. Type: aws s3 presign s3://<insert bucket>/<insert file name> –expires-in 604800

How much time is 604800? one week. If you want something shorter…. use a calculator or google it.

Hint: Remove spaces from the file name to make it easier

The output you received will look something like this:

Awesome. Now share this out with everyone and you’re all set. But wait, is that MY Access Key in the URL. ah, personally I’m not comfortable giving out a URL with my Access Key tied to it. Now what?

Easy, create an IAM user with Read-Only programmatic access to S3.

Those steps are:

  1. Open the AWS Console
  2. Click IAM
  3. Add User, Add a Name
  4. Click Programmatic Acces
  5. Click Next: Permissions
  6. Click Attach existing policies directly
  7. Search for S3
  8. Select AmazonS3ReadOnlyAccess
  9. Click Next for Tags
  10. Enter some tagging info
  11. Click Next: Review
  12. Click Create User
  13. Download the CSV file

Now that you have a new user, I like to configure my CLI with multiple profiles which helps me call specific accounts without having to reconfigure my terminal.

How to configure the CLI with multiple profiles


  1. Open a terminal
  2. Type: aws configure –profile <insert profile name>
  3. Enter Access Key
  4. Enter Secret Key
  5. Enter a region
  6. Enter output (I typically pick json but it’s your choice)
  7. Done

Now we can repeat the steps above using a presigned URL with a read-only user’s access key but using the profile argument.

Example: aws s3 presign s3://<insert bucket>/<insert file name> –expires-in 604800 –profile s3user

Copy the output and send the output.

It took me about 10 minutes to figure it out and ultimately I found my next post.

Check out my video and let me know what you think.


Leave a Comment