Skip to content

Presigned URLs

Presigned URLs are URLs that contain time-limited authentication information. By generating a presigned URL and sharing it with other users, those users can access the object without needing separate credentials. This mechanism allows you to make an object available to many users for a limited time simply by sharing the URL, without making the object publicly accessible.

Usage

A presigned URL can be generated with the following command.

aws [options] s3 presign <s3 object path> [--expires-in <expiration time (seconds)>]

Specify the target object in <s3 object path>, and set the publication period in seconds in [--expires-in <expiration time (seconds)>]. If the [--expires-in] option is omitted, the default value of 3600 seconds (1 hour) is used.

The expiration time of a presigned URL varies depending on the version of the signing model. When using Signature Version 4 (SigV4) as the signing model, the expiration time can be set to a maximum of 7 days. When using Signature Version 2 (SigV2) as the signing model, there is no limit on the expiration time. For this reason, the use of presigned URLs generated with SigV2 is not recommended.

For instructions on how to specify the SigV4 signing model on the interactive and compute nodes, please refer to How to Use the SigV4 Signing Model.

Use cases

In this example, a presigned URL is generated for the object 'file01.txt' located in the bucket 'bucket-test'.

[username01@login1 ~]$ aws --endpoint-url https://s3.v3.abci.ai s3 cp s3://bucket-test/file01.txt -
This is file01.txt!

To generate a presigned URL for this object with an expiration time of 300 seconds, run the following command.

[username01@login1 ~]$ aws --endpoint-url https://s3.v3.abci.ai s3 presign s3://bucket-test/file01.txt --expires-in 300
https://s3.v3.abci.ai/bucket-test/file01.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA0831D7894EXAMPLE%2F20260424%2Fap-northeast-1%2Fs3%2Faws4_request&X-Amz-Date=20260424T095758Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=6ea03f5ab4d56c170fe34f02742737c659edda1138057a3ff8b529aafeb2bd85

By accessing the presigned URL output as shown below, other users will also be able to access the object.

[username02@login1 ~]$ curl "https://s3.v3.abci.ai/bucket-test/file01.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA0831D7894EXAMPLE%2F20260424%2Fap-northeast-1%2Fs3%2Faws4_request&X-Amz-Date=20260424T095758Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=6ea03f5ab4d56c170fe34f02742737c659edda1138057a3ff8b529aafeb2bd85"
This is file01.txt!

A presigned URL that has expired cannot be accessed, as shown below.

[username02@login1 ~]$ curl "https://s3.v3.abci.ai/bucket-test/file01.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA0831D7894EXAMPLE%2F20260424%2Fap-northeast-1%2Fs3%2Faws4_request&X-Amz-Date=20260424T095758Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=6ea03f5ab4d56c170fe34f02742737c659edda1138057a3ff8b529aafeb2bd85"
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Request has expired</Message><X-Amz-Expires>300</X-Amz-Expires><Expires>20260424T100258Z</Expires><ServerTime>20260424T101020Z</ServerTime><RequestId>02FC36C3BEF80B19</RequestId><HostId>00000000000000000</HostId></Error>

A presigned URL cannot be disabled directly until it expires. If you wish to stop access via the presigned URL after sharing it, please refer to Operations and disable the URL by deleting or renaming the target object.

How to Use the SigV4 Signing Model

This section shows how to specify the SigV4 signing model. By applying the following configuration, you can set SigV4 as the signing model for the default profile.

[username@login1 ~]$ aws configure set default.s3.signature_version s3v4

By applying this configuration, the following settings will be added to ~/.aws/config.

[default]
region = ap-northeast-1
...
s3 =
    signature_version = s3v4

To apply the settings to a specific profile, your_profile_name, run the following command.

[username@login1 ~]$ aws configure set profile.your_profile_name.s3.signature_version s3v4

When using the SigV4 signing model, the expiration time of presigned URLs can be set as high as 7 days.

[username@login1 ~]$ aws --endpoint-url https://s3.v3.abci.ai s3 presign s3://bucket-test/file01.txt --expires-in 864000
https://s3.v3.abci.ai/bucket-test/file01.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA0831D7894EXAMPLE%2F20260422%2Fap-northeast-1%2Fs3%2Faws4_request&X-Amz-Date=20260422T014521Z&X-Amz-Expires=864000&X-Amz-SignedHeaders=host&X-Amz-Signature=b0eab4fca0a373105e353fc9aac819a52277e2f7e8220e368464d4527c45c36a
[username@login1 ~]$ curl "https://s3.v3.abci.ai/bucket-test/file01.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA0831D7894EXAMPLE%2F20260422%2Fap-northeast-1%2Fs3%2Faws4_request&X-Amz-Date=20260422T014521Z&X-Amz-Expires=864000&X-Amz-SignedHeaders=host&X-Amz-Signature=b0eab4fca0a373105e353fc9aac819a52277e2f7e8220e368464d4527c45c36a"
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AuthorizationQueryParametersError</Code><Message>X-Amz-Expires must be less than a week (in seconds); that is, the given X-Amz-Expires must be less than 604800 seconds</Message><RequestId>71E66D9EB2DD1C9E</RequestId><HostId>00000000000000000</HostId></Error>