S3 pre signed url with block public access on a bucket


Customer is trying to block public access on a bucket but provide indirect access via pre signed url

Is pre signed url supported on a bucket with block public access, as they recall url pre-signing can only be done with an IAM user. Is that still the case or can they use a role that is attached to the node? In the past, the temp credentials given to an instance role is short lived and therefore unsuitable for something to share externally?

Can they have a custom domain on the pre signed url, if this is not supported then any workaround with Cloudfront, API GW, Lambda?

asked 3 years ago1036 views
1 Answer
Accepted Answer

Yes, presigned URL are working with public block access Buckets.

  • The easiest way to implement this is to create a frontend with an API gateway that call a lambda, calling S3API to generate a signed URL. this is valid both for upload and download.

  • if you don't want to use an API gateway you can have a front end web server,

This is an article that explain the entire process: generate presigned URL using API gateway and lambda if you need to download the file is something along these lines:

async function getDownloadUrl (file) {
  const { key, versionId } = file
  const params = {
    Bucket: my-test-bucket,,
    Key: 'myDoc/myfile.pdf', //the directory in S3
    VersionId: versionId, //we use S3 versioning
    Expires: 60

  try {
    const url = await new Promise((resolve, reject) => {
      s3.getSignedUrl('getObject', params, function (err, url) {
        if (err) {

    return url
  } catch (err) {
    logger.error('s3 getObject,  get signedUrl failed')
    throw err
profile picture
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions