Skip to content

S3 Presigned URLs in Ceph RGW

S3 presigned URLs are temporary, signed links that allow access to a specific S3 object without sharing the user's S3 access keys.

They are useful when you want to give someone time-limited access to download or upload an object. The link contains a signature and an expiry time, so it stops working after the configured duration.

Ceph RGW supports S3 presigned URLs by default because they are part of the S3 API. They can be generated with standard S3-compatible tools such as the AWS CLI and s3cmd.

How to create a presigned URL

To create a temporary URL for an object called blargh.test in the bucket mldam0, valid for 1 hour, use:

aws --region us-east-1 \
  --endpoint-url https://s3.mlcloud.uni-tuebingen.de \
  --profile mfa624-ceph \
  s3 presign s3://mldam0/blargh.test \
  --expires-in 3600

The value 3600 is the expiry time in seconds.

Notes

  • The object must already exist if you are creating a download URL.
  • The generated URL can be shared directly with another user.
  • Access is limited to the permissions of the S3 user/profile that generated the URL.
  • After the expiry time, the URL is no longer valid.
Last update: May 18, 2026
Created: May 18, 2026