S3 Viewer
Open Viewer

Share S3 files without sharing AWS.

Two ways to share an S3 file with someone who doesn't use AWS or Cloudflare: a presigned URL for one-off access, or a workspace invite for ongoing access. S3 Viewer makes both one click — and the workspace invite is revocable, scoped per bucket, and tied to a logged-in user instead of a bearer link.

  • Email invite — recipients sign in to a clean file viewer in any browser
  • Per-bucket roles: Viewer, Editor, Admin
  • Revoke any user instantly — no IAM keys to rotate
Open ViewerStar on GitHub
Why teams pick S3 Viewer

A clean browser view for clients, designers, and execs.

Email invites

Send a link; the recipient signs in (email OTP or GitHub) and sees only the buckets you shared. No AWS account, no IAM user, no Cloudflare login, no setup.

Server-side request signing

S3 Viewer signs every S3 call on the recipient's behalf using your encrypted credentials. Your access keys never reach the browser; revoking the user stops their requests immediately.

Read-only by default

Viewers can browse and download but cannot upload, rename, or delete. Drop-in safe for clients, executives, lawyers, and external reviewers.

Presigned URLs for one-offs

Need a single file with no signup? Right-click → Share link generates a time-limited URL signed server-side. Works in any browser; treat as a bearer token.

Encrypted credentials

Your AWS keys are encrypted at rest with RSA-4096 (PKCS1_OAEP, SHA-256), decrypted only in memory to sign requests. Recipients never see them.

Revoke in one click

Pull access without rotating IAM keys. Their session ends, your other teammates keep working, your applications keep running.

How it works

Three steps to your bucket.

No agents to install, no infrastructure to manage. Paste credentials and you're browsing.

  1. 01

    Connect the bucket once

    Add your AWS S3 or Cloudflare R2 credentials to a workspace. The bucket appears in your sidebar; the credentials stay encrypted on the server with RSA-4096.

  2. 02

    Invite by email

    Type the recipient's email, pick the bucket, choose a role: Viewer (read + download), Editor (read + upload + delete), or Admin. They get a sign-in link.

  3. 03

    They open it in any browser

    They sign in to S3 Viewer (email OTP or GitHub) and see exactly the bucket you shared — no AWS account, no IAM user, no Cloudflare account, nothing to install.

FAQ

Common questions.

Direct answers we wish we'd had when picking a viewer.

How do I share an S3 file with someone who doesn't have an AWS account?

Two ways. Quickest: right-click → Share link in S3 Viewer to generate a presigned URL — works in any browser, expires when you say. Best for ongoing access: invite them to a workspace by email. They sign in to S3 Viewer in a browser, see only the bucket you shared, and never touch AWS, IAM, or the CLI.

Is a workspace invite better than a presigned URL?

It depends on the use case. A presigned URL is the right tool for a one-off share — short-lived, no signup needed, works in any browser. A workspace invite is the right tool for ongoing access: revocable in one click, tied to a specific signed-in user, and scoped per bucket. Presigned URLs are bearer tokens, so they can't be revoked once shared; workspace invites can.

Can I let someone view files but not delete or upload?

Yes. The Viewer role can browse and download but cannot upload, rename, or delete. Editors can upload and delete; Admins can manage members. Owners have full control. Each role is assigned per bucket — same person can be a Viewer on one and an Editor on another.

Can the recipient see other buckets in my workspace?

No. Members only see the buckets they've been invited to. If you have ten buckets connected and invite someone to one, the other nine are invisible to them.

What happens when I revoke access?

Their session ends on the next request and the workspace stops signing S3 calls for them. Unlike rotating an IAM key, nothing else breaks — your other teammates and your applications keep working.

How long can a presigned URL last?

AWS allows presigned URLs up to 7 days when signed with IAM user credentials, or up to the session length when signed with temporary credentials (typically 1 hour for STS). Shorter is safer. S3 Viewer issues 15-minute URLs for downloads to keep the blast radius small.

Can I do this with Cloudflare R2?

Yes. Connect an R2 bucket and invite users to it. They never need a Cloudflare account — the workspace authenticates them. R2 supports the same presigned URL pattern as AWS S3, so one-off shares work identically.
Related guides

Step-by-step how-tos.

Share an S3 file

Presigned URL or workspace invite — when each is the right call, and why presigned links can't be revoked.

Invite a teammate

Skip per-person IAM users for human collaboration. Email invite, per-bucket role, one-click revoke.

Granular permissions

The IAM s3:prefix Condition that everyone misses, plus when workspace roles are simpler than IAM.

Keep exploring

Other use cases

Multi-cloud

AWS S3, Cloudflare R2, MinIO, B2, and Wasabi — same sidebar, same search, cross-cloud copy when you need it.

Team workspaces

Per-bucket roles, no per-person IAM, and one-click off-boarding without rotating any keys.

Better S3 browser

One-click rename, Tab-autocomplete bucket-wide search, and Cmd-K — focused on the daily browsing layer.