How to share an S3 file with a non-technical user

TL;DR

Two patterns. Generate a presigned URL — a time-limited bearer link that works in any browser without an AWS account. Or invite the recipient to an S3 Viewer workspace by email — tied to a logged-in user, scoped per bucket, revocable in one click. Use presigned URLs for one-off shares; use workspace invites for ongoing access.

Steps

Step-by-step.

01
Decide: one-time or ongoing access?
One-time: a presigned URL is the right tool — short-lived, no signup, works in any browser. Ongoing: a workspace invite is safer — tied to a logged-in user, revocable in one click, scoped per bucket.
02
One-time: presigned URL via the AWS CLI
The link works in any browser and expires after the duration you set (max 7 days with IAM user keys). It's a bearer token — anyone who gets the link can use it until it expires, and it can't be revoked once shared.
```
aws s3 presign s3://my-bucket/contract.pdf --expires-in 3600
```
03
One-time: presigned URL in S3 Viewer
Right-click the file and choose Share link. S3 Viewer signs the URL server-side using your stored credentials and copies it to your clipboard. Same primitive as the CLI — in a UI you can hand to a junior teammate.
04
Ongoing: invite them to your workspace
Click Invite on the bucket. Type the recipient's email, choose Viewer (read + download only), Editor (read + write), or Admin. They sign in to S3 Viewer with email OTP or GitHub and see only the bucket you shared.
05
Pick a role per bucket
Roles are assigned per bucket — same person can be Viewer on one and Editor on another. Simpler to operate than authoring per-person IAM users with hand-rolled JSON policies.
06
Revoke when done
One click. Their session ends and the workspace stops signing S3 calls for them — no IAM key rotation needed because no IAM user was ever minted for them.

Under the hood

What's actually happening.

A presigned URL is a signed query-string version of an S3 GET request. Anyone with the link can fetch the file until it expires (max 7 days with IAM user keys). It's a bearer token — leaking the URL leaks the file, and it can't be revoked once it's out.

A workspace invite ties access to a logged-in user, which means you can revoke at any time, limit them to specific buckets, and avoid minting IAM users. S3 Viewer signs every request server-side using the workspace's stored credentials (encrypted at rest with RSA-4096); the recipient never sees an access key. Off-boarding is a one-click revoke — no AWS keys to rotate because no IAM user was ever created.

FAQ

Common questions.

How do I send an S3 file to a client who doesn't use AWS?

Quickest: generate a presigned URL with `aws s3 presign s3://bucket/key --expires-in 3600` (or right-click → Share link in S3 Viewer). The link works in any browser and expires when you say. For repeat access, invite them to an S3 Viewer workspace by email — they sign in once and see only the bucket you shared, with no AWS account, IAM user, or CLI required.

Are presigned URLs safe to share?

Safe enough for short-lived sharing — they expire and don't expose your credentials. Less ideal for ongoing access: anyone who gets the link can use it until it expires, it can't be revoked once shared, and there's no record of who actually downloaded the file. For ongoing access, S3 Viewer's workspace invites are the right primitive — revocable, tied to a user, no permanent IAM artifacts.

How long can a presigned URL last?

AWS allows presigned URLs to last up to 7 days when signed with IAM user credentials, or up to the session length when signed with temporary credentials (typically 1 hour for STS). Shorter is safer. S3 Viewer issues 15-minute URLs for downloads to keep the blast radius small.

Can I revoke a presigned URL after sharing it?

Not directly. The options are to wait for it to expire, rotate the signing key (which invalidates every other URL signed with that key), or delete the underlying object. This is why workspace invites exist — they're tied to a session, not a token, so revoking takes one click and breaks nothing else.

Can the recipient upload back to me?

Yes — presigned URLs can be issued for PUT as well, but they're clunky for repeat use. In S3 Viewer, give them the Editor role on the bucket and they can upload through the file browser.

Does this work with Cloudflare R2 too?

Yes. R2 supports the same S3 presigned URL pattern, and S3 Viewer's workspace invites work identically against R2 buckets — useful when you want to share an R2 bucket with someone who doesn't have a Cloudflare account.

Use S3 Viewer for this

Skip the CLI. Try it in the browser.

S3 Viewer turns the steps above into a single click. Open source, self-hostable, free for personal use.

Open Viewer Star on GitHub

Use case

Why teams pick this

Sharing without AWS

Email-invite clients and execs to a clean browser view of one bucket — revocable in one click, no IAM.

Related guides

More how-tos

All

Invite a teammate

Skip per-person IAM users for human collaboration. Email invite, per-bucket role, one-click revoke.

Granular permissions

The IAM s3:prefix Condition that everyone misses, plus when workspace roles are simpler than IAM.

Download a file

Browser, AWS CLI, or presigned URL — three ways, with auto-inferred filenames and zero key exposure.