S3 Viewer
Open Viewer

Team access without per-person IAM users.

AWS IAM is built for service-to-service auth and fine-grained policy control — powerful, but heavy for human collaboration on a single bucket. S3 Viewer is a team workspace for AWS S3 and Cloudflare R2 that sits on top: connect a bucket once with one least-privilege key, invite teammates by email, assign per-bucket roles, and revoke without rotating anything.

  • Email invites instead of IAM users — no permanent artifacts to rotate
  • Four per-bucket roles: Owner, Admin, Editor, Viewer
  • Off-boarding is one click — sessions end on next request
Open ViewerStar on GitHub
Why teams pick S3 Viewer

A workspace built for human collaboration on object storage.

One credential per bucket

Connect a bucket once with a least-privilege IAM key. The whole team uses it through their own logins — no shared root keys, no per-person IAM users, no policy JSON to maintain.

Four roles, per bucket

Owner, Admin, Editor, Viewer — clear and minimal. Same person, different roles on different buckets. The whole permission model fits in your head.

Invite by email

Type an address, pick a role, send. They sign in with email OTP or GitHub and the bucket appears in their sidebar.

Server-side enforcement

The workspace signs every S3 request on a member's behalf using your encrypted credentials. Their browser never sees an access key, and policy checks happen before requests reach AWS.

Clean off-boarding

Click revoke. Session ends on next request. No IAM key rotation, no policy edits, no broken applications.

Self-host on your VPC

MIT-licensed open source. Run the same workspace UI inside your own infrastructure — full data residency, full control, no third party in the request path.

How it works

Three steps to your bucket.

No agents to install, no infrastructure to manage. Paste credentials and you're browsing.

  1. 01

    Create a workspace

    One per team or project. Workspaces hold connected buckets and members; everything is scoped inside.

  2. 02

    Connect the bucket once

    Paste a single set of access keys — ideally a least-privilege IAM user scoped to the buckets you want exposed. Your whole team uses it through their own logins.

  3. 03

    Invite by email, assign a role per bucket

    Pick from four roles: Owner, Admin, Editor, Viewer. Roles are per bucket — a teammate can be an Editor on one and a Viewer on another. Off-boarding is one click and zero key rotation.

FAQ

Common questions.

Direct answers we wish we'd had when picking a viewer.

How do I give my team access to an S3 bucket without creating IAM users for each of them?

Connect the bucket to an S3 Viewer workspace once with a single least-privilege IAM key, then invite teammates by email. They authenticate against the workspace, not AWS, so you never need per-person IAM users and you don't have to rotate access keys when someone leaves.

What roles are available?

Four: Viewer (read + download), Editor (read + upload + rename + delete), Admin (everything plus invite and remove members), and Owner (full control including bucket connections and billing). Roles are assigned per bucket — a teammate can be an Editor on one bucket and a Viewer on another in the same workspace.

Can I limit a teammate to one bucket out of many?

Yes. Members only see the buckets you've granted them access to. Connect ten buckets to a workspace, give an engineer access to one, and the other nine are invisible to them — not just hidden, but not even listed.

What happens when someone leaves the team?

Revoke their workspace access in one click. Their session ends on the next request, they can't sign back in, and you don't have to rotate any AWS or R2 access keys — because they never had any.

How does this compare to IAM Identity Center or per-user IAM?

AWS IAM and Identity Center excel at federated identity into the AWS console — the right choice for many enterprise scenarios. S3 Viewer is built specifically for human collaboration on object storage: a simpler permission model (four roles, per bucket), a clean file browser for non-technical teammates, and one workspace UI that works the same on Cloudflare R2, MinIO, or any S3-compatible provider.

Does this work with Cloudflare R2 buckets too?

Yes. Connect an R2 bucket the same way you'd connect an AWS bucket and invite teammates to it. They never need a Cloudflare account — the workspace handles authentication.

Can teams be self-hosted?

Yes. S3 Viewer is MIT-licensed and the workspace UI runs the same way on your own infrastructure. Self-host inside your VPC for full data residency control.
Related guides

Step-by-step how-tos.

Invite a teammate

Skip per-person IAM users for human collaboration. Email invite, per-bucket role, one-click revoke.

Granular permissions

The IAM s3:prefix Condition that everyone misses, plus when workspace roles are simpler than IAM.

Share an S3 file

Presigned URL or workspace invite — when each is the right call, and why presigned links can't be revoked.

Keep exploring

Other use cases

Multi-cloud

AWS S3, Cloudflare R2, MinIO, B2, and Wasabi — same sidebar, same search, cross-cloud copy when you need it.

Sharing without AWS

Email-invite clients and execs to a clean browser view of one bucket — revocable in one click, no IAM.

Better S3 browser

One-click rename, Tab-autocomplete bucket-wide search, and Cmd-K — focused on the daily browsing layer.