How to invite a teammate to your S3 bucket

TL;DR

AWS IAM is powerful for service-to-service auth and fine-grained policy — but it's heavy for human collaboration on a single bucket. The simpler pattern: connect the bucket once with one least-privilege key, then invite teammates by email and assign per-bucket roles. S3 Viewer wraps that workflow — Owner, Admin, Editor, or Viewer per bucket, revocable in one click without rotating any AWS keys.

Steps

Step-by-step.

01
Create a workspace
One per team or project. Workspaces hold connected buckets and members; everything is scoped inside.
02
Connect the bucket once
Paste an access key and secret. Use a least-privilege IAM user scoped to the buckets you want exposed — typically with s3:ListBucket, s3:GetObject, s3:PutObject, and s3:DeleteObject. Your whole team uses this one credential through their own logins.
03
Invite by email
Type your teammate's email and pick a role per bucket: Viewer (read + download), Editor (read + upload + rename + delete), Admin (everything plus inviting other members), or Owner (full control). Same person can be Editor on one bucket and Viewer on another.
04
Send
They get a link, sign in (email OTP or GitHub), and see only the buckets you assigned. They never touch AWS, IAM, or the CLI.
05
Off-boarding: one-click revoke
Pull a member's workspace access. Their session ends on the next request and you don't need to rotate any AWS keys — they never had any.

Under the hood

What's actually happening.

AWS IAM is built for service-to-service authorization and fine-grained programmatic policy. For a small team that just needs to browse and share files in a bucket, per-person IAM is heavier than it needs to be: a JSON policy per role, a key per person, rotation cycles, and off-boarding to remember. S3 Viewer takes a different approach for that human-collaboration case: the bucket is connected once with a workspace-level credential, and teammates authenticate to the workspace instead of AWS. Their access is enforced server-side — the workspace signs S3 requests on their behalf only for buckets and roles they've been granted. When you revoke them, no keys need rotating because they never held any. The same model works for Cloudflare R2 and any other S3-compatible provider.

FAQ

Common questions.

Can multiple users access the same S3 bucket without each having an IAM user?

Yes. Connect the bucket to an S3 Viewer workspace once with a single least-privilege IAM key, then invite teammates by email. They authenticate against the workspace, so you don't need per-person IAM users and you don't have to rotate access keys when someone leaves.

Why use a workspace instead of per-person IAM?

AWS IAM is the right tool for many scenarios — service-to-service auth, fine-grained programmatic access, federated identity into the AWS console. For a small team that just needs to browse and share files in a bucket, IAM is heavier than it needs to be: a JSON policy per role, an access key per person, key rotation, off-boarding to remember. Workspace invites bundle that workflow into a session model — sign in, view buckets, revoke at off-boarding.

How do I remove a teammate from a bucket?

Click revoke on their workspace membership. Their session ends on the next request — no AWS keys to rotate, no policies to edit, no other teammates affected.

Can a teammate have different access on different buckets?

Yes. Roles are assigned per bucket. The same person can be a Viewer on one bucket, an Editor on another, and have no access at all to the rest.

How does this work with IAM Identity Center?

IAM Identity Center is the right tool for federating identity into AWS itself, including the AWS console — and it's a great choice for many enterprise scenarios. S3 Viewer is a complementary layer on top of S3 (and other S3-compatible providers) for the specific case of human collaboration on object storage. You can use both: Identity Center for federated AWS access, S3 Viewer for the browsing-and-sharing workflow.

Does this work with Cloudflare R2 buckets too?

Yes. Connect an R2 bucket the same way and invite teammates to it. They never need a Cloudflare account — the workspace handles authentication.

Use S3 Viewer for this

Skip the CLI. Try it in the browser.

S3 Viewer turns the steps above into a single click. Open source, self-hostable, free for personal use.

Open Viewer Star on GitHub

Use case

Why teams pick this

Team workspaces

Per-bucket roles, no per-person IAM, and one-click off-boarding without rotating any keys.

Related guides

More how-tos

All

Granular permissions

The IAM s3:prefix Condition that everyone misses, plus when workspace roles are simpler than IAM.

Share an S3 file

Presigned URL or workspace invite — when each is the right call, and why presigned links can't be revoked.

Switch buckets fast

Cmd-K fuzzy switcher across every connected provider, plus AWS CLI named profiles for scripts.