Allow temporary access to private S3 objects without changing bucket policies. Can be generated via S3 Console, AWS CLI, or SDKs.
Expiration:
- Console: 1–720 minutes (12 hours max).
- CLI:
-expires-in(seconds), default 3600 (1 hour), max 604800 (~7 days).
Permissions:
- Inherit permissions of the IAM identity that generated them.
- Valid for specific operations (e.g.,
GETfor download,PUTfor upload).
Use cases:
- Temporarily grant download access to premium content.
- Let users upload to a specific bucket location without permanent permissions.
How it works:
- Owner generates URL for a private object.
- URL is shared with intended recipient.
- Recipient can access the object until expiration, without additional authentication.